Tim P <[EMAIL PROTECTED]> wrote: > Ok using these settings it seems to authenticate with radtest ... > [EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret
i.e. clear-text password. > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... i.e. NO PASSWORD WAS RETURNED BY AD. > rlm_ldap: bind as CN=Tim > Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to > gtds-domcon.gtdsolutions.org:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: user tporritt authenticated succesfully i.e. You're binding to AD as the user. You are using AD as an "authentication oracle". You hand it bits of information, and it returns yes/no. You are NOT using AD as a database. > These two look to me like they authenticated the user successfully. Yes. Now try MSCHAP. > In /etc/ppp/options.l2tpd I have .. > Is it possible that this will work? Yes. But you're not getting the password from AD. As I said: AD will not supply the password. Nothing in what you've posted contradicts that. > Just looking for a way (and preferably and example) of the > authentication vs AD since I don't seem to understand how to do it. I > have looked in radius.conf and enabled the ntlm authentication but it > seems to insist upon using chap and not mschap-v2, is there a > difference? The client asks for CHAP, so that's what the RADIUS server sees. The RADIUS server DOES NOT, and CAN NOT change the authentication method the client uses. > It still complains about the "no cleartext password" Because, as I've said repeatedly, AD doesn't supply the password to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
