CHAP and Windows 2003 AD LDAP
Josh Howlett
josh.howlett at bristol.ac.uk
Wed Jul 5 19:14:25 CEST 2006
Hi Phil,
On 5 Jul 2006, at 17:43, Phil Mayers wrote:
> Stefan Winter wrote:
>> Hi,
>>> I'm trying to get a freeradius server (v1.0.1) to work with CHAP and
>> How about 1.1.2? Upgrading is easy, and it fixes at least one
>> security bug.
>>> querying a Windows 2003 Active Directory server using LDAP.
>>>
>>> I've got LDAP working for PAP queries, but CHAP comes back with the
>>> "rlm_chap: Could not find clear text password".
>> AD and LDAP-mode don't work together. The AD server will not give
>> away the user's attribute. If you want CHAP to work, you will need
>> to use ntlm_auth.
>
> That is not correct. If you want to use *MS-CHAP* you must use
> ntlm_auth (or extract the NT hash another way).
>
> If you want to use CHAP i.e. plain-old chap as implemented by the
> rlm_chap module listed above, you MUST have the users plaintext
> password which AD does not maintain by default and even if it is
> told to, cannot be persuaded to give up.
Any idea how IAS gets hold of it for CHAP?
josh.
Josh Howlett, Networking Specialist, University of Bristol.
email: josh.howlett at bristol.ac.uk | phone: +44 (0)7867 907076 |
internal: 7850
More information about the Freeradius-Users
mailing list