Freeradius with OpenLDAP and AD.

SDamron sdamron at
Tue Feb 17 15:58:28 CET 2009

Would Kerberos authentication work with AD and EAP, or am I thinking
too early in the day?

On Tue, Feb 17, 2009 at 8:55 AM,  <tnt at> wrote:
>>Hi, I have several problems when I would like to link freeradius with AD
>>using OpenLDAP.
> Look up
> to see how to inegrate with AD for pap and mschap/PEAP.
>>When I tried to test the binding of OpenLDAP to the AD with radtest, it
>>responds Access-Accept (as you can see in the log after).
> Yes.
>>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as
>>CN=philippe,CN=Users,DC=test,DC=fr/philippe to
>>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ...
>>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful
>>Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authenticated
> Ldap "bind as user" works for pap requests. And nothing else. This is
> documented in ldap module configuration file.
>>But when I wanted to check with a real supplicant (under WinXP with
>>MD5-Challenge Auth) I got an access-reject.
> EAP-MD5 authentication requires clear text password:
> AD is not going to provide it via ldap. You can't use AD to authenticate
> with EAP-MD5. Obtaining a reversibly encrypted password from AD is
> propriatory MS stuff. You need IAS for that plus to enable reversible
> passwords for your users in Remote Access Policy. If this wasn't
> enabled already, reversible passwords will be created next time user
> changes the password (ie. all users will most likely need to enter new
> passwords).
> Ivan Kalik
> Kalik Informatika ISP
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list