PAP credentials against AD?

Guy Davies aguydavies at gmail.com
Wed Feb 15 17:03:28 CET 2006


Hi Josh,

So long as the user is a valid user, it can be used to do the bind,
AFAIK.  I used to do this at the office.  Our AD Admins created a
special account with a non-expiring password but no other special
privileges to authenticate the search/bind and that worked fine.

We used to use EAP-TTLS/PAP for wireless login.  We also used the GINA
module in the 802.1x supplicant we had to authenticate prior to
completion of windows login so that login scripts worked properly too
:-)

Rgds,

Guy

On 15/02/06, Josh Howlett <josh.howlett at bristol.ac.uk> wrote:
> Hi Stefan,
>
> We probably need a freeradius-eduroam list :-)
>
> >>Is it possible to authenticate PAP credentials from the NAS against a
> >>Windows domain using NTLM? I've tried using the mschap module, but it
> >>expects to see a Challenge that the NAS doesn't provide.
> >
> >
> > If you want to authenticate against AD and have PAP credentials available,
> > just treat the AD server like an LDAP server, i.e.: the ldap {} section is
> > for you. It will use the credentials to bind as the user to AD, and if that
> > succeeds the user is allowed in.
>
> I didn't realise that AD allowed authenticated binds from users by
> default. Does it require some special tweaking? Our AD admin are *very*
> cautious about who talks to it... (probably very sensible).
>
> best regards, josh.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list