Alan, Thank you very much for your reply.
I understand it is limitation of AD not to send passwd (unlike LDAP). Question: Can FreeRADIUS use ntlm_auth from Samba to make this happen ? I mean: PEAP w/MSCHAPv2 and using AD as User profile storage ? The ntlm_auth doc by Andrew from Samba mentions using FreeRADIUS to do MSCHAP for his prototype pppd/CHAP implementation to talk to NT domain... Do you think a similar port to FreeRADIUS is possible ? Thank you, --- Alan DeKok <[EMAIL PROTECTED]> wrote: > Jack J <[EMAIL PROTECTED]> wrote: > > If one has Supplicant (client) configured for > > EAP-PEAP w/ MS-CHAPv2 and on FreeRADIUS (or any > > other RADIUS server) configured to terminate PEAP > > w/MS_CHAPv2, but user profiles are stored on > > Active Directory. > > > > Does FreeRADIUS support this ? > > Yes, but AD doesn't. AD won't let FreeRADIUS get > clear-text > passwords from it. Other LDAP servers don't have > this limitation. > > > If userprofile is on LDAP I think it would work > since > > LDAP bind/search would return userPassword > attribute, > > where as AD does not. Thus CHAP cannnot be done > in AD > > case. Is this true ? > > Currently, yes. > > > Currently EAP-PEAP w/ MS-CHAPv2 termination works > on > > some commercial FreeRADIUS servers > > There are no commercial FreeRADIUS servers. > > Other, Windows servers can do this, because > they're running on Windows. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html