Sean Perry <[EMAIL PROTECTED]> wrote:
I am trying to setup a Linux VPN. Most of the pieces are now in place. I am trying to authenticate against radius which in turn will authenticate against our existing Active Directory server.
People have done this. To a certain extent, AD is just another LDAP server.
yeah, I have it working in other applications like apache so I know it can be done.
Looking through the archives I see several people try but no real responses. Ron Wahler claims to have Active Directory working but he was not using chap.
Is this possible?
Not with CHAP. AD doesn't allow you to look at the users clear-text passwords, so CHAP is impossible.
I have solved this in other cases by using the password to rebind as the user. If the bind fails the password is incorrect. What I have not seen is a way to get the password out of CHAP. Is this a viable solution??
Yet, somehow, IAS does CHAP against AD. Is anyone willing to bet *against* the idea that Microsoft has one API for customers, and another, better API for themselves?
it is not entirely unreasonable to believe they have a CHAP --> Kerberos interface. But I agree with you, they definately make life harder for the rest of us.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
