How "bind as user" mode works?
Rodrigo Abrantes Antunes
rodrigoantunes at pelotas.ifsul.edu.br
Thu Aug 17 12:14:27 UTC 2023
With TTLS + PAP I still need read access to the user password in AD
right? This is what is said in the debug output at least, so it
doesn't help me because I don't have this access like I said earlier.
Citando Alan DeKok <aland at deployingradius.com>:
> On Aug 16, 2023, at 12:45 PM, Rodrigo Abrantes Antunes
> <rodrigoantunes at pelotas.ifsul.edu.br> wrote:
>> I have followed this guide and it works with radtest but not with wifi.
>
> See the debug output. It will be VERY DESCRIPTIVE.
>
> It will even mention active directory.
>
>> https://www.nasirhafeez.com/freeradius-with-ldaps-on-azure-ad-domain-services/
>>
>> Do I need to have access to the user password in active directory
>> to allow wifi authentication with freeradius?
>
> Yes. But it's not about "wifi" as such. It's about the
> authentication method used. In this case, probably PEAP/MS-CHAPv2.
>
>> I don't have this access and I thought the "bind as user" mode
>> would solve this (bind with the logging in user, just like
>> ldapsearch) but I think it is not what I thought.
>
> "bind as user" only works if FreeRADIUS gets a User-Password attribute.
>
>> How can achieve that? Am I restricted to mschap?
>
> You can't use MS-CHAP with AD. You need Samba and ntlm_auth as an
> intermediary.
>
> See http://deployingradius.com/documents/configuration/active_directory.html
>
> I don't know about AD in the cloud... that's a whole other story.
>
> If the WiFi configuration uses TTLS + PAP, then "bind as user" will work.
>
> Alan DeKok.
>
> -List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list