Freeradius with OpenLDAP and AD.
SDamron
sdamron at gmail.com
Tue Feb 17 15:58:28 CET 2009
Would Kerberos authentication work with AD and EAP, or am I thinking
too early in the day?
On Tue, Feb 17, 2009 at 8:55 AM, <tnt at kalik.net> wrote:
>>Hi, I have several problems when I would like to link freeradius with AD
>>using OpenLDAP.
>
> Look up
> http://deployingradius.com/documents/configuration/active_directory.html
> to see how to inegrate with AD for pap and mschap/PEAP.
>
>>When I tried to test the binding of OpenLDAP to the AD with radtest, it
>>responds Access-Accept (as you can see in the log after).
>
> Yes.
>
>>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as
>>CN=philippe,CN=Users,DC=test,DC=fr/philippe to test.fr:389
>>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ...
>>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful
>>Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authenticated
>>succesfully
>
> Ldap "bind as user" works for pap requests. And nothing else. This is
> documented in ldap module configuration file.
>
>>But when I wanted to check with a real supplicant (under WinXP with
>>MD5-Challenge Auth) I got an access-reject.
>>
>
> EAP-MD5 authentication requires clear text password:
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> AD is not going to provide it via ldap. You can't use AD to authenticate
> with EAP-MD5. Obtaining a reversibly encrypted password from AD is
> propriatory MS stuff. You need IAS for that plus to enable reversible
> passwords for your users in Remote Access Policy. If this wasn't
> enabled already, reversible passwords will be created next time user
> changes the password (ie. all users will most likely need to enter new
> passwords).
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list