Limitation of authenticating against AD

Herwin Weststrate herwin at
Wed Sep 3 18:33:45 CEST 2014

On 03-09-14 18:24, Dennis Xu wrote:
> Thanks for the information. So FreeRadius uses LDAP to authenticate against AD 

That would be an uncommon setup. You can authenticate via the tool
ntlm_auth (which uses RPC over SMB, and is kind of limited to Active
Directory and Samba), or you proxy the request and enable the
RADIUS-server of Active Directory (I believe it was called NPS).

> and LDAP cannot read the passwords in those formats.

No, Alan said you cannot read the passwords via LDAP, that has nothing
to do with the format of the stored passwords. But you don't need to
read the password in order to authenticate.

> Apparently ACS has a different implementation on authenticating against AD that they don't care about the password format stored in AD:

AD stores NT hashes, they are compatible with MSCHAPv2.

Herwin Weststrate

More information about the Freeradius-Users mailing list