Freeradius in an AD environment on opensuse server

Maurizio Cimaschi mauri at unixrulez.org
Sat Aug 16 10:26:01 CEST 2008


Alan DeKok wrote:
>   The *client* has to supply the MS-CHAP magic using the LAN-manager
> password.  Since the client always chooses NT-hashed passwords... using
> LAN manager passwords is not possible.

 From the README is src/modules/rlm_mschap

*****
The method just described is called NT-encryption by the RFC.  MS-CHAP is
actually designed for compatability with Microsoft LAN Manager as well.
The response returned by the client actually contains an LM encrypted
response as well as the NT-encrypted password.  This implementation only
uses the NT-encrypted response, which seems to work fine for Windows 98
and Windows 2000.
*****

So it seems more a limit of the server.

Could it be possible to see in the debug if the two encrypted pwd are 
available ? if thy're there it could be possible to write a patch and, 
possibly, to attach directly to the AD (which seems to make that LM pwd 
available).





More information about the Freeradius-Users mailing list