> From: Alan DeKok > Sent: Thursday, 4 September 2003 11:46 PM > Sean Perry <[EMAIL PROTECTED]> wrote: > > I am trying to setup a Linux VPN. Most of the pieces are now in place. > > I am trying to authenticate against radius which in turn will > > authenticate against our existing Active Directory server.
> People have done this. To a certain extent, AD is just another LDAP > server. > > Is this possible? > Not with CHAP. AD doesn't allow you to look at the users clear-text > passwords, so CHAP is impossible. > Yet, somehow, IAS does CHAP against AD. Is anyone willing to bet > *against* the idea that Microsoft has one API for customers, and > another, better API for themselves? So surely you could proxy CHAP requests to IAS, and authenticate other requests using the superior powers of FreeRADIUS. You'd end up with a post-proxy section that looks a lot like your post-auth section. I'm probably terribly terribly wrong here, but to my mind you _should_ be able to. After all, MS _have_ supplied a RADIUS interface to the passwords on the server, which seems an improvement over having to write the W32API authentication calls yourself. -- ========================================================= Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department --------------------------------------------------------- Random signature generator 3.0 by Paul "TBBle" Hampson ========================================================= - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html