[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: FreeRADIUS & AD LAP Communication
From: Russell Mike <radius.sir () gmail ! com>
Date: 2013-11-21 11:27:47
Message-ID: CADao4Cq1UD-MZ1H=7owy8ZYcb-x+Qe93pwnMCkv7Ot070Jhj4Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thank You Stefan. I shall study !!
Regards
RM --
On Wed, Nov 20, 2013 at 5:36 PM, <stefan.paetow@diamond.ac.uk> wrote:
> > 3a) Following is the out-put with REJECT access, Perhaps because
> password storage in AD is not clear text, is it due to that?
> > Perhaps it cannot be tested with redtest? i am using the following
> to test, is it correct test
> > radtest mike aabb88@ localhost 1812 HYbbunINFDR$88
>
> Correct. Active Directory does not store its passwords in plain-text.
> Active Directory only accepts NTLM/MSCHAPv2 authentication (or Kerberos,
> but that's a whole different kettle of fish).
>
> Additionally, you are better off testing EAP-TTLS/EAP-MSCHAPv2 or EAP-PEAP
> with Active Directory since that is what the general use case is. For that,
> you need eapol_test, which is part of the wpa_supplicant package.
>
> See http://deployingradius.com/documents/protocols/compatibility.htmlfirst, then
> http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+sourceand
> http://confluence.diamond.ac.uk/display/PAAUTH/Building+eapol_test+in+wpa_supplicantfor details :-)
>
> Stefan
>
>
> --
> This e-mail and any attachments may contain confidential, copyright and or
> privileged material, and are for the use of the intended addressee only. If
> you are not the intended addressee or an authorised recipient of the
> addressee please notify us of receipt by returning the e-mail and do not
> use, copy, retain, distribute or disclose the information in or attached to
> the e-mail.
> Any opinions expressed within this e-mail are those of the individual and
> not necessarily of Diamond Light Source Ltd.
> Diamond Light Source Ltd. cannot guarantee that this e-mail or any
> attachments are free from viruses and we cannot accept liability for any
> damage which you may sustain as a result of software viruses which may be
> transmitted in or with the message.
> Diamond Light Source Limited (company no. 4375679). Registered in England
> and Wales with its registered office at Diamond House, Harwell Science and
> Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
[Attachment #5 (text/html)]
<div dir="ltr"><font face="trebuchet ms, sans-serif">Thank You Stefan. I shall study \
!!</font><div><font face="trebuchet ms, sans-serif">Regards </font></div><div><font \
face="trebuchet ms, sans-serif">RM --</font></div></div> <div \
class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Nov 20, 2013 at 5:36 PM, \
<span dir="ltr"><<a href="mailto:stefan.paetow@diamond.ac.uk" \
target="_blank">stefan.paetow@diamond.ac.uk</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div class="im">> 3a) Following is the out-put with REJECT \
access, Perhaps because password storage in AD is not clear text, is it due to \
that?<br>
> Perhaps it cannot be tested with redtest? i am using the following to test, \
is it correct test<br> > radtest mike aabb88@ localhost 1812 HYbbunINFDR$88<br>
<br>
</div>Correct. Active Directory does not store its passwords in plain-text. Active \
Directory only accepts NTLM/MSCHAPv2 authentication (or Kerberos, but that's a \
whole different kettle of fish).<br> <br>
Additionally, you are better off testing EAP-TTLS/EAP-MSCHAPv2 or EAP-PEAP with \
Active Directory since that is what the general use case is. For that, you need \
eapol_test, which is part of the wpa_supplicant package.<br>
<br>
See <a href="http://deployingradius.com/documents/protocols/compatibility.html" \
target="_blank">http://deployingradius.com/documents/protocols/compatibility.html</a> \
first, then <a href="http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source" \
target="_blank">http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source</a> \
and <a href="http://confluence.diamond.ac.uk/display/PAAUTH/Building+eapol_test+in+wpa_supplicant" \
target="_blank">http://confluence.diamond.ac.uk/display/PAAUTH/Building+eapol_test+in+wpa_supplicant</a> \
for details :-)<br>
<br>
Stefan<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
This e-mail and any attachments may contain confidential, copyright and or privileged \
material, and are for the use of the intended addressee only. If you are not the \
intended addressee or an authorised recipient of the addressee please notify us of \
receipt by returning the e-mail and do not use, copy, retain, distribute or disclose \
the information in or attached to the e-mail.<br>
Any opinions expressed within this e-mail are those of the individual and not \
necessarily of Diamond Light Source Ltd.<br> Diamond Light Source Ltd. cannot \
guarantee that this e-mail or any attachments are free from viruses and we cannot \
accept liability for any damage which you may sustain as a result of software viruses \
which may be transmitted in or with the message.<br>
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales \
with its registered office at Diamond House, Harwell Science and Innovation Campus, \
Didcot, Oxfordshire, OX11 0DE, United Kingdom<br> <br>
<br>
<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a \
href="http://www.freeradius.org/list/users.html" \
target="_blank">http://www.freeradius.org/list/users.html</a><br> \
</font></span></blockquote></div><br></div>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic