[RADIATOR] Radiator on Linux using LDAP2, MS Active Directory, MSCHAP-V2

Heikki Vatiainen hvn at open.com.au
Wed Oct 16 16:02:41 CDT 2013


On 10/15/2013 10:41 PM, Sevilla, Norman A wrote:

> The only function that we are unable to migrate successfully is 8021.x
> wireless authentication.  The Windows-based version used Authby LSA so
> the MSCHAP-V2 challenge worked successfully.  On the Linux-based system,
> Authby LDAP2 is finding my user account in AD but is failing with
> MSCHAP-V2 authentication failure.

Hello Norm,

the AD LDAP interface allows you to fetch a lot of information but it
does not expose the password or password hash. It appears to be
impossible to configure AD to do so. For MSCHAP-V2 you would need either
plain text password or NTHASH of password. Since neither are available
over LDAP from AD, this is why it fails.

> I’ve tried using the nt-hash
> conversion script in the goodies directory but I am not seeing
> ‘User-Password’ anywhere to be converted.  I’ve seen several threads
> stating that my best bet is to just stick to a Windows-based system but
> I’m hoping someone can help me figure out how to get this to work with
> on a Linux platform.

You would need to use AuthBy NTLM on Linux. This would provide you with
the authentication functionality.  If needed, you could then use AuthBy
LDAP2 for authorization (checking group memberships etc.).

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list