Does that mean that I don't need to use the LDAP modules on FreeRadius and use only the ntlm_auth? Is is enough?
Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: sexta-feira, 10 de Setembro de 2004 19:21 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect "Hugo Sousa" <[EMAIL PROTECTED]> wrote: > But if the domain controller uses LDAP, why do we have to use LDAP and > after that ntlm_auth ??? Because Active Directory isn't LDAP in the same way that other LDAP servers are LDAP. You can't get NT-Passwords from AD, you can get it from other LDAP servers. Therefore, you can't get FreeRADIUS to compare a known good password to the password in the Access-Request, you've got to use something else. In this case, NT domain authentication does MS-CHAP, so FreeRADIUS can use ntlm_auth to do MS-CHAP to the NT domain, and thus authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
