freeradius + ldap (AD) + dot1x
Mathieu Simon (Lists)
matsimon.lists at simweb.ch
Sun Jun 11 12:36:57 CEST 2017
Am 11.06.2017 um 11:41 schrieb Paweł Grzęda:
> Hello,
>
[...]
>
> Tutorial:
>
> http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authentication+source
>
> I use start_tls to securely bind to LDAP (which is Samba4 AD DC) and the
> binding works, however I still can't get Access-Accept message. I think
> my problem is related to clear-text passwords (warning about no known
> good password), however I don't know how to fix it. Is it a way to
> configure this to be securely?
Assuming Samba 4 tries to work and behave like AD on Windows Server I
imagine it does the same by default:
"Active Directory does not allow FreeRADIUS to query the user's password
via LDAP, or LDAPS." (Alan D. on a thread only a couple of days before)
I haven't confirmed this since I did never use FR with a Samba 4 Domain,
but only with Windows-based AD services. Though there seems to be a
possibility to permit it by an ACL in smb.conf to allows this.
By default I'd assume like with a Windows AD: Join the FR server to your
Samba 4 AD domain and use NTLM authentication (like mentioned in your
linked page).
You'd have to select between the older method using ntlm_auth, oder
directly via Winbind. (read the config file for the mschap module)
Have a look on integrating with a Windows-based AD:
*
http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
* http://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
Good luck.
-- Mathieu
More information about the Freeradius-Users
mailing list