Beating a dead horse, or freeradius 2.1.1 and active directory

Ben Little BLittle at
Thu Dec 4 00:30:01 CET 2008

Yeah, I'm not sure I want to use LDAP (clear text) for authentication.  I'm starting to think that I can just use md5 passwords in a database or a flat file to manage it, there's really not that many "administrative" users for the cisco equipment.  It's either that or pony up several thousands for the Cisco ACS was worth beating my head against a wall for a few days though :-)


	From: at [ at] On Behalf Of Rupert Finnigan
	Sent: Wednesday, December 03, 2008 3:03 PM
	To: FreeRadius users mailing list
	Subject: Re: Beating a dead horse, or freeradius 2.1.1 and active directory
	Following on from this, I've just had a read of my radiusd.conf file. I'd start by having a look at the ldap module, specifically around the:
	                #  By default, if the packet contains a User-Password,
	                #  and no other module is configured to handle the
	                #  authentication, the LDAP module sets itself to do
	                #  LDAP bind for authentication.
	bit.. This might provide the answer you're looking for.
	2008/12/3 Rupert Finnigan <rupert.finnigan at>

		Well, yes - it does proxy them fine.. But is the request from the switch a MS-CHAP one? I don't think it is..
		The switch will be sending a PAP request, not a MS-CHAP one, and so you'll need to configure FreeRADIUS to take the PAP request and auth that against AD. As the switch isn't sending a MS-CHAP request then FreeRADIUS can't process it as such, and so MS-CHAP module returns noop. Unfortunately, I'm not clued up enough on FreeRADIUS to help you with this config, but in essence this is what I think you need to do to achieve your goal.
		2008/12/3 Ben Little <BLittle at>

			yeah I'm trying to authenticate and authorize administrative tty session to the cisco equipment itself, not 802.1x for clients on the network.  If it's not possible I guess it's not possible.  It does kind of make me wonder how the Cisco ACS works though because that 'proxies' radius or tacacs+ authen and author requests to active directory quite nicely.




				From: <> <>  [mailto:freeradius-users-bounces+blittle <mailto:freeradius-users-bounces%2Bblittle> <> <> ] On Behalf Of Rupert Finnigan
				Sent: Wednesday, December 03, 2008 2:04 PM
				To: FreeRadius users mailing list
				Subject: Re: Beating a dead horse, or freeradius 2.1.1 and active directory
				I'm not sure if what you're doing is going to work.. You're trying to use MS-CHAP to handle terminal session logins, I think.. Most of the MS-CHAP advise given so far is to get EAP working from a client, say a XP laptop doing 802.1X to gain access to a switchport.
				Someone will definitely correct me if I'm wrong, but I thought you could only do PAP (or CHAP???) for Authentication to a Terminal line. In which case, you either have to use the plain old users file, use a database such as mysql, or (probably a better solution) use the LDAP module to bind to the AD with the supplied username and password, and allow access if successful.
				Like I say - I'm really unsure on this one, but as no-ones replied for a while I though it might help...
				2008/12/3 Ben Little <BLittle at>

					PAP is working:
					++[pap] returns updated
					Found Auth-Type = PAP
					+- entering group PAP {...}
					[pap] login attempt with password "secretz"
					[pap] Using clear text password "secretz"
					[pap] User authenticated successfully
					++[pap] returns ok
					+- entering group post-auth {...}
					++[exec] returns noop
					Sending Access-Accept of id 21 to *.*.*.* port 1645
					       Cisco-AVPair = "shell:priv-lvl=15"
					Finished request 1.
					Going to the next request
					Waking up in 4.9 seconds.
					Cleaning up request 1 ID 21 with timestamp +431
					Ready to process requests.
					For some reason though, even when configured to do so, the authentication attempt coming from a switch or router is not being forwarded to the KDC.  I have followed that how-to now to the letter and Active Directory is not working, however active directory and krb are both working fine on the server;
					[wbinfo -a test%test output]
					plaintext password authentication failed
					Could not authenticate user test%test with plaintext password
					challenge/response password authentication succeeded
					I'm not sure what I am missing here? Why isn't the login attempt on the switch being forwarded to active directory?  Is there something within the switch that meeds to be set? A radius attribute maybe to identify the login attempt as mschap?

					> Howto will show you how to set up and test with pap first:
					List info/subscribe/unsubscribe? See





			List info/subscribe/unsubscribe? See

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list