Am 20.05.2008 um 16:20 schrieb Arran Cudbard-Bell:
Dean, Barry wrote:
Alan DeKok said:
It is impossible to use CHAP to authenticate to AD. You MUST use
MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that
EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with
CHAP inner auth all failed.
So you have explained why EAP-TTLS (CHAP) fails, thanks!
So, is EAP-MD5 and EAP-TTLS (MD5) not possible also, or is my
Radius config broken?
EAP-MD5 won't work either...
Ok the basic requirement for most Authentication schemes
transferring the users credentials as a none reversible hash, is
that the password is available RADIUS side as either a clear-text
string, or as a reversible hash which can be transformed back into
a clear-text string.
I say most because there is of course a few exceptions, the most
notable being MSCHAP & MSCHAPv2 which allow you to store the
password directory side as an MD4 hash of the passphrase encoded as
a 16bit unicode string (NT Password) or a LANMAN password (can't
remember the encoding for that).
For those interested how the passwords are made, see the man page for
smbpasswd(5). e.g.: http://samba.org/samba/docs/man/manpages-3/
smbpasswd.5.html
I believe that AD uses NT Password hashes, which is why PEAP just
works out of the box with Microsoft IAS. So no MD5/ CHAP won't work
with active directory. But PAP, MSCHAP/ MSCHAPv2 should all work
just fine.
Thanks,
Arran
---------------
Barry Dean
Networks Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services (IT Services) E1-1-08, Engineering 1,
University Of Sussex, Brighton
EXT: +44 1273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
