> From: Alan DeKok
> Sent: Thursday, 4 September 2003 11:46 PM
> Sean Perry <[EMAIL PROTECTED]> wrote:
> > I am trying to setup a Linux VPN. Most of the pieces are now in place.
> > I am trying to authenticate against radius which in turn will
> > authenticate against our existing Active Directory server.
> People have done this. To a certain extent, AD is just another LDAP
> server.
> > Is this possible?
> Not with CHAP. AD doesn't allow you to look at the users clear-text
> passwords, so CHAP is impossible.
> Yet, somehow, IAS does CHAP against AD. Is anyone willing to bet
> *against* the idea that Microsoft has one API for customers, and
> another, better API for themselves?
So surely you could proxy CHAP requests to IAS, and authenticate other
requests using the superior powers of FreeRADIUS. You'd end up with
a post-proxy section that looks a lot like your post-auth section.
I'm probably terribly terribly wrong here, but to my mind you _should_
be able to. After all, MS _have_ supplied a RADIUS interface to the
passwords on the server, which seems an improvement over having to
write the W32API authentication calls yourself.
--
=========================================================
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]
This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
---------------------------------------------------------
Random signature generator 3.0 by Paul "TBBle" Hampson
=========================================================
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
