Authentication with Active Directory with CHAP Passwords

Luiz Gustavo de Villa Scandelari luizgustavo at
Fri Aug 14 22:08:22 CEST 2009

Hello everyone,


I would like to receive some help on authentication with AD using CHAP
Passwords. I´ve already configured the radius (v 2.1.6) to authenticate in
the AD (Microsoft) using LDAP and clear-text passwords, until now it works
perfectly, but in the radius debug appear the following message:


“rad_recv: Access-Request packet from host port 64871, id=7,

        User-Name = "1000700025"

        User-Password = "123456"

+- entering group authorize {...}

++[preprocess] returns ok

[suffix] No '@' in User-Name = "1000700025", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[ldap] performing user authorization for 1000700025

[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for

[ldap]  expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->

[ldap]  expand: dc=pedagogico,dc=net -> dc=pedagogico,dc=net

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: attempting LDAP reconnection

rlm_ldap: (re)connect to, authentication 0

rlm_ldap: bind as wni at at 2009 to

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

rlm_ldap: performing search in dc=pedagogico,dc=net, with filter

[ldap] looking for check items in directory...

[ldap] looking for reply items in directory...

è  WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly? ç

[ldap] Setting Auth-Type = LDAP

[ldap] user 1000700025 authorized to use remote access

rlm_ldap: ldap_release_conn: Release Id: 0

++[ldap] returns ok

++[expiration] returns noop

++[logintime] returns noop

Found Auth-Type = LDAP

+- entering group LDAP {...}

[ldap] login attempt by "1000700025" with password "123456"


rlm_ldap: (re)connect to, authentication 1

rlm_ldap: bind as CN=LUIZ RICARDO DE VILLA
Computers,DC=PEDAGOGICO,DC=NET/123456 to

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

[ldap] user 1000700025 authenticated succesfully

++[ldap] returns ok

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 7 to port 64871

Finished request 0.”


I suppose that happens because I cannot read the AD user password, right?
The important is that works with LDAP authentication. The problem is that I
have a system that sends Access-Requests with Username and CHAP-Passwords
(CoovaChilli), so radius authorize the user but cannot authenticate it. 


I´ve already read the Allan´s webpage
about integration of AD and RADIUS but I still have some questions. Can I
use CHAP with SAMBA ntlm_auth method or should i need to change the password
encryption to another protocol such as PAP or MS-CHAP? If I modify the
coovachilli to send PAP passwords, am I  going to be able to use ldap for
authorization and authentication or do I need just plain?


I hope somebody can help me.




Skype: luiz.gustavo.wni

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list