Re: authenticate machine accounts with ntlm_auth
Kris Benson wrote: I'm very frustrated now after spending a couple of weeks trying to get free radius to authenticate my Win2k machine accounts against active directory. :-( Sorry, blame Microsoft. It isn't possible, but they don't make it obvious that it's not possible. Alan, do you know of any way to get this working. I have been assured that Funk can do this, have you any idea how Funk are doing it. Funk costs too much. Maybe I'm not allowed to ask such questions. Funk does it by running the radius server on the AD server. At that point, they can use *internal* Windows API's or hacks to get at the data. Since FreeRADIUS is running externally, it can't use those API's, and thus won't work. FreeRADIUS *will* run on XP. If someone were to write the necessary code, you could run the server on XP, and do what Funk does. It sounds to me like you're saying this is a server-side issue. Since AD is available via LDAP, why couldn't this FreeRadius install just use rlm_ldap to access the machine account info in AD? The Microsoft side of things isn't my greatest strength, least of all the AD/LDAP stuff, but it seems as though this *should* work. :-) -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html AD unfortunatly does not provide the passwords via ldap, the authentication gets passed on to a kerberos implamentation, LDAP just provide group information. I'd look in to a solution for radius that is able to either athenticate via machine accounts provided via winbindd, or an implamentation that is abble to use kerberos for user account athentication information. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate machine accounts with ntlm_auth
Hi, > It sounds to me like you're saying this is a server-side issue. Since AD > is available via LDAP, why couldn't this FreeRadius install just use > rlm_ldap to access the machine account info in AD? No. There is one important difference between plain LDAP and AD: an AD server will _never_ give away the user's (machine's) password. Never. The closest thing you can get is a MS-CHAP challenge that is built from the password, but for some reason that doesn't do the trick. > The Microsoft side of things isn't my greatest strength, least of all the > AD/LDAP stuff, but it seems as though this *should* work. It would, if AD would give you the password. But it doesn't. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-1 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate machine accounts with ntlm_auth
"Kris Benson" <[EMAIL PROTECTED]> wrote: > It sounds to me like you're saying this is a server-side issue. I'm saying the exact opposite. It's a function of running on Windows, and it has nothing to do with the RADIUS server. FreeRADIUS can run on Windows, and with the right code, it will most likely do what you want. > Since AD > is available via LDAP, why couldn't this FreeRadius install just use > rlm_ldap to access the machine account info in AD? The AD information you need IS NOT AVAILABLE THROUGH LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate machine accounts with ntlm_auth
>> I'm very frustrated now after spending a couple of weeks trying to get >> free radius to authenticate my Win2k machine accounts against active >> directory. :-( > > Sorry, blame Microsoft. It isn't possible, but they don't make it >obvious that it's not possible. > >> Alan, do you know of any way to get this working. I have been assured >> that Funk can do this, have you any idea how Funk are doing it. Funk >> costs too much. Maybe I'm not allowed to ask such questions. > > Funk does it by running the radius server on the AD server. At that >point, they can use *internal* Windows API's or hacks to get at the >data. Since FreeRADIUS is running externally, it can't use those >API's, and thus won't work. > > FreeRADIUS *will* run on XP. If someone were to write the necessary >code, you could run the server on XP, and do what Funk does. It sounds to me like you're saying this is a server-side issue. Since AD is available via LDAP, why couldn't this FreeRadius install just use rlm_ldap to access the machine account info in AD? The Microsoft side of things isn't my greatest strength, least of all the AD/LDAP stuff, but it seems as though this *should* work. :-) -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate machine accounts with ntlm_auth
<[EMAIL PROTECTED]> wrote: > I'm very frustrated now after spending a couple of weeks trying to get > free radius to authenticate my Win2k machine accounts against active > directory. :-( Sorry, blame Microsoft. It isn't possible, but they don't make it obvious that it's not possible. > Alan, do you know of any way to get this working. I have been assured > that Funk can do this, have you any idea how Funk are doing it. Funk > costs too much. Maybe I'm not allowed to ask such questions. Funk does it by running the radius server on the AD server. At that point, they can use *internal* Windows API's or hacks to get at the data. Since FreeRADIUS is running externally, it can't use those API's, and thus won't work. FreeRADIUS *will* run on XP. If someone were to write the necessary code, you could run the server on XP, and do what Funk does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticate machine accounts with ntlm_auth
>> j.cluzel wrote: >> Is it possible to authenticate a machine account with ntlm_auth ? >No. AD does not permit that. > Alan DeKok. I'm very frustrated now after spending a couple of weeks trying to get free radius to authenticate my Win2k machine accounts against active directory. :-( Alan, do you know of any way to get this working. I have been assured that Funk can do this, have you any idea how Funk are doing it. Funk costs too much. Maybe I'm not allowed to ask such questions. Regards, Martin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate machine accounts with ntlm_auth
=?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= <[EMAIL PROTECTED]> wrote: > Is it possible to authenticate a machine account with ntlm_auth ? No. AD does not permit that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
