Would Kerberos authentication work with AD and EAP, or am I thinking too early in the day?
On Tue, Feb 17, 2009 at 8:55 AM, <t...@kalik.net> wrote: >>Hi, I have several problems when I would like to link freeradius with AD >>using OpenLDAP. > > Look up > http://deployingradius.com/documents/configuration/active_directory.html > to see how to inegrate with AD for pap and mschap/PEAP. > >>When I tried to test the binding of OpenLDAP to the AD with radtest, it >>responds Access-Accept (as you can see in the log after). > > Yes. > >>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as >>CN=philippe,CN=Users,DC=test,DC=fr/philippe to test.fr:389 >>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ... >>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful >>Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authenticated >>succesfully > > Ldap "bind as user" works for pap requests. And nothing else. This is > documented in ldap module configuration file. > >>But when I wanted to check with a real supplicant (under WinXP with >>MD5-Challenge Auth) I got an access-reject. >> > > EAP-MD5 authentication requires clear text password: > > http://deployingradius.com/documents/protocols/compatibility.html > > AD is not going to provide it via ldap. You can't use AD to authenticate > with EAP-MD5. Obtaining a reversibly encrypted password from AD is > propriatory MS stuff. You need IAS for that plus to enable reversible > passwords for your users in Remote Access Policy. If this wasn't > enabled already, reversible passwords will be created next time user > changes the password (ie. all users will most likely need to enter new > passwords). > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html