Can't authenticate radius against active directory

Question

I'm trying to use the LDAP module to authenticate radius clients against active directory, so I need to have it actually use LDAP as the authenticator. However, it seems User-Password isn't getting set. First of all, is User-Password supposed to be sent by the client or the backend server? My main question is, what am I doing wrong?

And yes I'm aware that the logs are screaming "don't do this" at me, but reading the readme it seems that that's usually good advice but AD requires this.

It's supposed to be sent by the RADIUS client, so if it's not in the incoming request your AD auth isn't going to work. What type of authentication are you trying to do? — Arran Cudbard-Bell, Mar 13 '18 at 02:49

score 1 · Accepted Answer · answered Mar 13 '18 at 16:36

1

With AD you have two credential options, either the plaintext password, or the NT-Password (MD4 hash of the password). With plaintext auth you can use an LDAP authenticated bind to validate the credentials.

With the NT-Password you'd need to run MSCHAPv2 as the authentication method, and use something like winbindd (samba) to join the the AD domain.

The immediate issue in your case however, is you're using CHAP, which only provides a challenge response to the RADIUS server not the cleartext password. There's no backend authentication mechanism in AD that supports RADIUS CHAP authentication, so if you want this to work, you'll need to convince your NAS (Network Access Server) to perform either PAP (for cleartext auth with authenticated bind), or MSCHAPv2 (with for winbind based auth).

answered Mar 13 '18 at 16:36

Arran Cudbard-Bell

1,514
1
9
18

Thank you for your response. Here's the larger perspective: The NAS a firewall with an L2TP/IPSec VPN that seems to be advertising CHAP, as that's what my phone attempts to use to connect to it, but it only allows PAP for users it knows about through Active Directory. The workaround is to set up a RADIUS server to authenticate against the Active Directory, since the firewall supports CHAP and MSCHAPv2 against RADIUS. I wanted to run the RADIUS server on the domain controller, but it seems that won't be doable (since you can't run winbind on a samba dc). Thanks for your help. – Dessa Simpson Mar 16 '18 at 15:59
Okay, so I misunderstood your last paragraph. Are you saying that CHAP is impossible against AD? – Dessa Simpson Mar 16 '18 at 16:49
Correct you cannot do RADIUS CHAP against AD. This is because AD does not have the user’s clear text password available. – Arran Cudbard-Bell Mar 16 '18 at 18:58

Can't authenticate radius against active directory

1 Answers1