CHAP and Windows 2003 AD LDAP

Josh Howlett josh.howlett at bristol.ac.uk
Wed Jul 5 19:14:25 CEST 2006


Hi Phil,

On 5 Jul 2006, at 17:43, Phil Mayers wrote:

> Stefan Winter wrote:
>> Hi,
>>> I'm trying to get a freeradius server (v1.0.1) to work with CHAP and
>> How about 1.1.2? Upgrading is easy, and it fixes at least one  
>> security bug.
>>> querying a Windows 2003 Active Directory server using LDAP.
>>>
>>> I've got LDAP working for PAP queries, but CHAP comes back with the
>>> "rlm_chap: Could not find clear text password".
>> AD and LDAP-mode don't work together. The AD server will not give  
>> away the user's attribute. If you want CHAP to work, you will need  
>> to use ntlm_auth.
>
> That is not correct. If you want to use *MS-CHAP* you must use  
> ntlm_auth (or extract the NT hash another way).
>
> If you want to use CHAP i.e. plain-old chap as implemented by the  
> rlm_chap module listed above, you MUST have the users plaintext  
> password which AD does not maintain by default and even if it is  
> told to, cannot be persuaded to give up.

Any idea how IAS gets hold of it for CHAP?

josh.

Josh Howlett, Networking Specialist, University of Bristol.
email: josh.howlett at bristol.ac.uk | phone: +44 (0)7867 907076 |  
internal: 7850






More information about the Freeradius-Users mailing list