Dear Doove, Rene, For a while it's impossible to use encrypted authentication (CHAP, MS-CHAP) against domain. It's also impossible (to my knowlege) to authenticate via Active Directory's LDAP, because it doesn't allow to request user's password hash directly via LDAP.
Solutions are to migrate (or synchronize) user's account's to another source (file, database, etc) with something like pwdump2 or to use FreeRADIUS as a proxy to Microsoft IAS. It's possbile to create some daemon process to be launched on domain controller (based on pwdump2 technology) and to authorize via network against this process. In this case it will be possible to use MS-CHAP v1/2. I did some job in this direction but I have no time to complete it. If someone wanna try to complete it I can pass all I have. --Friday, October 4, 2002, 5:39:00 PM, you wrote to [EMAIL PROTECTED]: DR> Hello, DR> I have succesfully configured freeradius to use NT-domain authentication DR> thru the use of the smb pam module. However this only seems to work if I use DR> PAP on the client. This means the password is send in cleartext. I like to DR> see this password encrypted with (MS)-CHAP. Does anyone have experience with DR> this; is it possible? DR> If not; we are planning to go to Active Directory soon. Is it possible to DR> use AD with LDAP and then authenticat with ldap and then use chap? DR> Greeting, DR> Rene Doove DR> TOREX-HISCOM DR> Rene Doove DR> System Engineer DR> Schipholweg 97 DR> 2316 XA LEIDEN DR> Postbus 901 DR> 2300 AX LEIDEN DR> t: 071-5256682 DR> f: 071-5219856 DR> E-mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> DR> Disclaimer: DR> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * DR> This message is confidential. It may also be privileged or protected by DR> other legal rules. It does not constitute anoffer or acceptance of an offer, DR> nor shall it form any part of a legally binding contract. If you have DR> received this communication in error, please let us know by reply then DR> destroy it. You should not use, print, copy the message or disclose its DR> contents to anyone. E-mail is subject to possible data corruption, is not DR> secure, and its content does not necessarily represent the opinion of this DR> Company. No representation or warranty is made as to the accuracy or DR> completeness of the information and no liability can be accepted for any DR> loss arising from its use. This e-mail and any attachments are not DR> guaranteed to be free from so-called computer viruses and it is recommended DR> that you check for such viruses before down-loading it to your computer DR> equipment. This Company has no control over other websites to which there DR> may be hypertext links and no liability can be accepted in relation to those DR> sites. DR> * * * * * * * * * * * * * * * * * * * * * * * * * * * * -- ~/ZARAZA You know my name - look up my number (Beatles) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
