Authentication with Active Directory with CHAP Passwords

Fri Aug 14 22:08:22 CEST 2009

Hello everyone,

I would like to receive some help on authentication with AD using CHAP
Passwords. I´ve already configured the radius (v 2.1.6) to authenticate in
the AD (Microsoft) using LDAP and clear-text passwords, until now it works
perfectly, but in the radius debug appear the following message:

“rad_recv: Access-Request packet from host 192.168.0.100 port 64871, id=7,
length=50

        User-Name = "1000700025"

        User-Password = "123456"

+- entering group authorize {...}

++[preprocess] returns ok

[suffix] No '@' in User-Name = "1000700025", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[ldap] performing user authorization for 1000700025

[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details

[ldap]  expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=1000700025)

[ldap]  expand: dc=pedagogico,dc=net -> dc=pedagogico,dc=net

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: attempting LDAP reconnection

rlm_ldap: (re)connect to 172.17.16.4:389, authentication 0

rlm_ldap: bind as wni at pedagogico.net/wni at 2009 to 172.17.16.4:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

rlm_ldap: performing search in dc=pedagogico,dc=net, with filter
(sAMAccountName=1000700025)

[ldap] looking for check items in directory...

[ldap] looking for reply items in directory...

è  WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly? ç

[ldap] Setting Auth-Type = LDAP

[ldap] user 1000700025 authorized to use remote access

rlm_ldap: ldap_release_conn: Release Id: 0

++[ldap] returns ok

++[expiration] returns noop

++[logintime] returns noop

Found Auth-Type = LDAP

+- entering group LDAP {...}

[ldap] login attempt by "1000700025" with password "123456"

[ldap] user DN: CN=LUIZ RICARDO DE VILLA
SCANDELARI,OU=Users,OU=UNIFAE,OU=Users and Computers,DC=PEDAGOGICO,DC=NET

rlm_ldap: (re)connect to 172.17.16.4:389, authentication 1

rlm_ldap: bind as CN=LUIZ RICARDO DE VILLA
SCANDELARI,OU=Users,OU=UNIFAE,OU=Users and
Computers,DC=PEDAGOGICO,DC=NET/123456 to 172.17.16.4:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

[ldap] user 1000700025 authenticated succesfully

++[ldap] returns ok

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 7 to 192.168.0.100 port 64871

Finished request 0.”

I suppose that happens because I cannot read the AD user password, right?
The important is that works with LDAP authentication. The problem is that I
have a system that sends Access-Requests with Username and CHAP-Passwords
(CoovaChilli), so radius authorize the user but cannot authenticate it. 

I´ve already read the Allan´s webpage
(http://deployingradius.com/documents/configuration/active_directory.html)
about integration of AD and RADIUS but I still have some questions. Can I
use CHAP with SAMBA ntlm_auth method or should i need to change the password
encryption to another protocol such as PAP or MS-CHAP? If I modify the
coovachilli to send PAP passwords, am I  going to be able to use ldap for
authorization and authentication or do I need just plain?

I hope somebody can help me.

Thanks,

LUIZ GUSTAVO SCANDELARI

Skype: luiz.gustavo.wni

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090814/1204e6ba/attachment.html>