CHAP, LDAP and MS AD

[duckeo]

I just wanted to confirm what I have researched and found to be 'not feasible'.

Using CHAP authentication with Microsoft Active Directory is not
possible without modifying the Active Directory to store a plain-text
version of the password.

MS-CHAP is an option but must be supported on the client end, using ntlm_auth.

I ask as I am trying to persue the path of getting the end client to
use PAP, but wanted to get my facts straight first.

Thanks
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP, LDAP and MS AD

[Stefan Winter]

Hi,

 MS-CHAP is an option but must be supported on the client end, using
 ntlm_auth.

ntlm_auth needs to run on the server that also runs FreeRADIUS, because 
FreeRADIUS passes the credentials to ntlm_auth, which will then do the job 
(i.e. talk to AD and verify the credentials).
The client does not have to know anything about ntlm_auth. It just needs to 
talk MS-CHAP.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html