Freeradius and Active directory (An aside)

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue May 20 16:20:08 CEST 2008


Dean, Barry wrote:
> Alan DeKok said:
>
>   
>>  It is impossible to use CHAP to authenticate to AD.  You MUST use
>> MS-CHAP, or PAP.
>>     
>
> When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed.
>
> So you have explained why EAP-TTLS (CHAP) fails, thanks!
>
> So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my Radius config broken?
>   
EAP-MD5 won't work either...

Ok the basic requirement for most Authentication schemes transferring 
the users credentials as a none reversible hash, is that the password is 
available RADIUS side as either a clear-text string, or as a reversible 
hash which can be transformed back into a clear-text string.

I say most because there is of course a few exceptions, the most notable 
being MSCHAP & MSCHAPv2 which allow you to store the password directory 
side as an MD4 hash of the passphrase encoded as a 16bit unicode string 
(NT Password) or a LANMAN password (can't remember the encoding for that).

I believe that AD uses NT Password hashes, which is why PEAP just works 
out of the box with Microsoft IAS. So no MD5/ CHAP won't work with 
active directory. But PAP, MSCHAP/ MSCHAPv2 should all work just fine.

Thanks,
Arran


> ---------------
> Barry Dean
> Networks Team
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services (IT Services) 
E1-1-08, Engineering 1, University Of Sussex, Brighton
EXT: +44 1273 873900 | INT: 3900




More information about the Freeradius-Users mailing list