-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You _cannot_ read the unicodePwd attribute (where the actual passwd lies) from AD. It can only be written to, and then only under certain conditions (SSL/TLS connection, and if not written by an admin, then a delete/add must be performed in the same operation).
This is why you should use ntlm_auth w/PEAP for AD auth. You could be able to auth against LDAP (PAP) in a TTLS situation (not tried that yet, so I don't know how it would work), but you will never retrieve the unicodePwd attribute. Hope this helps. Graham, Robert wrote: >> No. Messages in the past few days have said you can't get passwords >>from AD. It's impossible. > >> You have to use ntlm_auth. See radiusd.conf > >> Alan DeKok. > > This still doesn't make any since. I have ntlm_auth enable, and it is > working fine autheniticating our vpn users using ms-chap. > > > ------------------------------------------------------------------------ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCxJoekeDzZCV99qsRAnQAAJ4rmfLNi26taKRiUAByJcXCFXPfYwCfbgn9 joaGdjaT02sbjRGDr0nT18E= =p1sh -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html