Freeradius and Active directory

Alan DeKok aland at deployingradius.com
Thu May 22 17:04:21 CEST 2008


Tomáš Janeček wrote:
> MYNTDOMAIN is just a fake Domain name I pasted in the log. But ntlm_auth
> on server uses my real domain...
> 
> I see the error announced by ntlm_auth, but don't know how to repair it.
> When I run ntlm_auth --request-nt-key --domain=MYREALNTDOMAIN
> --username=user and provide the password, everything works fine...
> 
> The Windows machine is member of domain (for few months).
> 
> Isn't there a problem with the PLAINTEXT?

  No.  ntlm_auth will take the MS-CHAP data, and send it to Active
Directory.  AD *should* use that to authenticate the user, and return
ok/fail.

  To test MS-CHAP, I suggest using eapol_test, from wpa_supplicant.  See
src/tests/eap-ttls-mschap.conf for a sample configuration.

  1) test ntlm_auth on the command-line with clear-text passwords
  2) test EAP-TTLS + MSCHAP with eapol_test, and a user in the "users"
     file.
  3) test EAP-TTLS + MSCHAP with eapol_test, and the username/password
     from (1).
  4) test it with a real supplicant.

  Alan DeKok.



More information about the Freeradius-Users mailing list