Sorry to keep asking but can you post an example (using mschap) to authenticate from freeradius to AD using the ntlm_auth method?
On 8/18/05, Alan DeKok <[EMAIL PROTECTED]> wrote: > Tim P <[EMAIL PROTECTED]> wrote: > > Ok using these settings it seems to authenticate with radtest > ... > > [EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret > > i.e. clear-text password. > > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > i.e. NO PASSWORD WAS RETURNED BY AD. > > > rlm_ldap: bind as CN=Tim > > Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to > > gtds-domcon.gtdsolutions.org:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: Bind was successful > > rlm_ldap: user tporritt authenticated succesfully > > i.e. You're binding to AD as the user. > > You are using AD as an "authentication oracle". You hand it bits of > information, and it returns yes/no. You are NOT using AD as a database. > > > These two look to me like they authenticated the user successfully. > > Yes. Now try MSCHAP. > > > In /etc/ppp/options.l2tpd I have > .. > > Is it possible that this will work? > > Yes. But you're not getting the password from AD. > > As I said: AD will not supply the password. Nothing in what you've > posted contradicts that. > > > Just looking for a way (and preferably and example) of the > > authentication vs AD since I don't seem to understand how to do it. I > > have looked in radius.conf and enabled the ntlm authentication but it > > seems to insist upon using chap and not mschap-v2, is there a > > difference? > > The client asks for CHAP, so that's what the RADIUS server sees. > The RADIUS server DOES NOT, and CAN NOT change the authentication > method the client uses. > > > It still complains about the "no cleartext password" > > Because, as I've said repeatedly, AD doesn't supply the password to > you. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html