Freeradius in an AD environment on opensuse server
Maurizio Cimaschi
mauri at unixrulez.org
Sat Aug 16 10:26:01 CEST 2008
Alan DeKok wrote:
> The *client* has to supply the MS-CHAP magic using the LAN-manager
> password. Since the client always chooses NT-hashed passwords... using
> LAN manager passwords is not possible.
From the README is src/modules/rlm_mschap
*****
The method just described is called NT-encryption by the RFC. MS-CHAP is
actually designed for compatability with Microsoft LAN Manager as well.
The response returned by the client actually contains an LM encrypted
response as well as the NT-encrypted password. This implementation only
uses the NT-encrypted response, which seems to work fine for Windows 98
and Windows 2000.
*****
So it seems more a limit of the server.
Could it be possible to see in the debug if the two encrypted pwd are
available ? if thy're there it could be possible to write a patch and,
possibly, to attach directly to the AD (which seems to make that LM pwd
available).
More information about the Freeradius-Users
mailing list