PEAP + AD

Alan DeKok aland at nitros9.org
Thu May 25 18:55:54 CEST 2006


"Chris Liles" <Chris.Liles at air2web.com> wrote:
> What "hooks" are you talking about? The extensions for unix services?

  No.  There are API's in Windows to catch password changes, and pass
them through your own code.  That code can then *also* write the
password to a different part of the AD schema.

  For this to work, it requires:

  - someone to understand & write the code
  - the code to run on *every* member of an AD forest
  - the AD schema to be updated to include the new ntpassword attribute
  - AD ACL's put in place to limit access to that attribute to FreeRADIUS
  - FreeRADIUS to be configured to look for that attribute.

  It shouldn't be hard, but convincing admins to change their AD
schema, and run third-party code on their DC's is often hard.

  Alan DeKok.



More information about the Freeradius-Users mailing list