Bohannan, Chad W wrote:
You cannot set the Auth-Type to "MS-CHAP" and have it work unless the
MS-CHAP challenge and response are in the radius request, which means
the NAS has to add them.
-
.....so is there not a way to have FR proxy request out to the AD
server?
There is not an obvious easy way of using the "ntlm_auth" helper with
the plaintext user/password in PAP, though it may be possible using the
"exec" module.
PAP requests can be authenticated by doing an LDAP simple bind to an AD
server I believe (I've never done it). The "doc/rlm_ldap" file seems to
describe most of what's required:
"""When rlm_ldap has found the DN corresponding to the username provided
in the access-request (all this happens in the authorize section) it
will add an Ldap-UserDN attribute in the check items list containing
that DN. The attribute will be searched for in the authenticate section
and if present will be used for authentication (ldap bind with the user
DN/password). Otherwise..."""
Which sounds to me like you should be able to put an (appropriately
configured) "ldap" in authorize and authenticate and it will just work(tm).
One thing I do know is that AD REQUIRES that you bind as some user (e.g.
a service account) first before searching for the actual user. Most
likely an appropriate config for you would look like the default config
with appropriate entries, and an "identiay" and "password" defined (and
probably with access_attr commented out).
But I haven't use it. That said, there are a lot of recent posts about
AD and LDAP, so one of them may contain fuller details.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- Re: RADIUS Auth-Type Phil Mayers
-
