Freeradius and Active directory (An aside)

Nicolas Goutte nicolas.goutte at
Tue May 20 16:12:50 CEST 2008

Am 20.05.2008 um 16:05 schrieb Dean, Barry:

> Alan DeKok said:
>>  It is impossible to use CHAP to authenticate to AD.  You MUST use
>> MS-CHAP, or PAP.
> When testing my Radius server with AD and XSupplicant I found that  
> EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with  
> CHAP inner auth all failed.
> So you have explained why EAP-TTLS (CHAP) fails, thanks!
> So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my  
> Radius config broken?

As far as I understand, the password for MS-CHAP is MD4 on UTF-16LE.  
So if you have only a password for MS-CHAP, you do not have a MD5  
version of the password.

> ---------------
> Barry Dean
> Networks Team
> -
> List info/subscribe/unsubscribe? See 
> users.html

Have a nice day!

Nicolas Goutte

extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841

More information about the Freeradius-Users mailing list