Freeradius and Active directory
Alan DeKok
aland at deployingradius.com
Thu May 22 17:04:21 CEST 2008
Tomáš Janeček wrote:
> MYNTDOMAIN is just a fake Domain name I pasted in the log. But ntlm_auth
> on server uses my real domain...
>
> I see the error announced by ntlm_auth, but don't know how to repair it.
> When I run ntlm_auth --request-nt-key --domain=MYREALNTDOMAIN
> --username=user and provide the password, everything works fine...
>
> The Windows machine is member of domain (for few months).
>
> Isn't there a problem with the PLAINTEXT?
No. ntlm_auth will take the MS-CHAP data, and send it to Active
Directory. AD *should* use that to authenticate the user, and return
ok/fail.
To test MS-CHAP, I suggest using eapol_test, from wpa_supplicant. See
src/tests/eap-ttls-mschap.conf for a sample configuration.
1) test ntlm_auth on the command-line with clear-text passwords
2) test EAP-TTLS + MSCHAP with eapol_test, and a user in the "users"
file.
3) test EAP-TTLS + MSCHAP with eapol_test, and the username/password
from (1).
4) test it with a real supplicant.
Alan DeKok.
More information about the Freeradius-Users
mailing list