Freeradius in dmz (not joined to AD) and authorization from AD LDAP

Matthew Newton matthew at newtoncomputing.co.uk
Tue Apr 25 10:06:17 CEST 2017


On 25 April 2017 08:45:49 BST, chose <chose at ajetaci.cz> wrote:
> is it able to authorize users from Windows AD LDAP from Freeradius in 
>DMZ zone without joining AD (security reasons).

Yes, with limitations, depending on your situation.

> I found that there is 
>problem with passwords hash, freeradius gets password in mschapv2

Because AD won't give you the password hash in the LDAP response, the only option you have got is to attempt to bind, which needs a clear password. So doing this means you're limited to PAP based methods.


-- 
Matthew



More information about the Freeradius-Users mailing list