Beating a dead horse, or freeradius 2.1.1 and active directory

Rupert Finnigan rupert.finnigan at
Wed Dec 3 23:55:45 CET 2008

Well, yes - it does proxy them fine.. But is the request from the switch a
MS-CHAP one? I don't think it is..

The switch will be sending a PAP request, not a MS-CHAP one, and so you'll
need to configure FreeRADIUS to take the PAP request and auth that against
AD. As the switch isn't sending a MS-CHAP request then FreeRADIUS can't
process it as such, and so MS-CHAP module returns noop. Unfortunately, I'm
not clued up enough on FreeRADIUS to help you with this config, but in
essence this is what I think you need to do to achieve your goal.
2008/12/3 Ben Little <BLittle at>

>  yeah I'm trying to authenticate and authorize administrative tty session
> to the cisco equipment itself, not 802.1x for clients on the network.  If
> it's not possible I guess it's not possible.  It does kind of make me wonder
> how the Cisco ACS works though because that 'proxies' radius or tacacs+
> authen and author requests to active directory quite nicely.
>  ------------------------------
>  *From:*
> [mailto:freeradius-users-bounces+blittle<freeradius-users-bounces%2Bblittle>
> at] *On Behalf Of *Rupert Finnigan
> *Sent:* Wednesday, December 03, 2008 2:04 PM
> *To:* FreeRadius users mailing list
> *Subject:* Re: Beating a dead horse, or freeradius 2.1.1 and active
> directory
>   Hi,
> I'm not sure if what you're doing is going to work.. You're trying to use
> MS-CHAP to handle terminal session logins, I think.. Most of the MS-CHAP
> advise given so far is to get EAP working from a client, say a XP laptop
> doing 802.1X to gain access to a switchport.
> Someone will definitely correct me if I'm wrong, but I thought you could
> only do PAP (or CHAP???) for Authentication to a Terminal line. In which
> case, you either have to use the plain old users file, use a database such
> as mysql, or (probably a better solution) use the LDAP module to bind to the
> AD with the supplied username and password, and allow access if successful.
> Like I say - I'm really unsure on this one, but as no-ones replied for a
> while I though it might help...
> Thanks,
> Rupes
> 2008/12/3 Ben Little <BLittle at>
>> PAP is working:
>> ++[pap] returns updated
>> Found Auth-Type = PAP
>> +- entering group PAP {...}
>> [pap] login attempt with password "secretz"
>> [pap] Using clear text password "secretz"
>> [pap] User authenticated successfully
>> ++[pap] returns ok
>> +- entering group post-auth {...}
>> ++[exec] returns noop
>> Sending Access-Accept of id 21 to *.*.*.* port 1645
>>        Cisco-AVPair = "shell:priv-lvl=15"
>> Finished request 1.
>> Going to the next request
>> Waking up in 4.9 seconds.
>> Cleaning up request 1 ID 21 with timestamp +431
>> Ready to process requests.
>> For some reason though, even when configured to do so, the authentication
>> attempt coming from a switch or router is not being forwarded to the KDC.  I
>> have followed that how-to now to the letter and Active Directory is not
>> working, however active directory and krb are both working fine on the
>> server;
>> [wbinfo -a test%test output]
>> plaintext password authentication failed
>> Could not authenticate user test%test with plaintext password
>> challenge/response password authentication succeeded
>> I'm not sure what I am missing here? Why isn't the login attempt on the
>> switch being forwarded to active directory?  Is there something within the
>> switch that meeds to be set? A radius attribute maybe to identify the login
>> attempt as mschap?
>> >
>> > Howto will show you how to set up and test with pap first:
>> >
>>  -
>> List info/subscribe/unsubscribe? See
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list