Limitation of authenticating against AD
Herwin Weststrate
herwin at quarantainenet.nl
Wed Sep 3 18:33:45 CEST 2014
On 03-09-14 18:24, Dennis Xu wrote:
> Thanks for the information. So FreeRadius uses LDAP to authenticate against AD
That would be an uncommon setup. You can authenticate via the tool
ntlm_auth (which uses RPC over SMB, and is kind of limited to Active
Directory and Samba), or you proxy the request and enable the
RADIUS-server of Active Directory (I believe it was called NPS).
> and LDAP cannot read the passwords in those formats.
No, Alan said you cannot read the passwords via LDAP, that has nothing
to do with the format of the stored passwords. But you don't need to
read the password in order to authenticate.
> Apparently ACS has a different implementation on authenticating against AD that they don't care about the password format stored in AD:
>
> http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/eap_pap_phase.html#wp1014889
AD stores NT hashes, they are compatible with MSCHAPv2.
--
Herwin Weststrate
More information about the Freeradius-Users
mailing list