I'm trying to use the LDAP module to authenticate radius clients against active directory, so I need to have it actually use LDAP as the authenticator. However, it seems User-Password isn't getting set. First of all, is User-Password supposed to be sent by the client or the backend server? My main question is, what am I doing wrong?
And yes I'm aware that the logs are screaming "don't do this" at me, but reading the readme it seems that that's usually good advice but AD requires this.
Best Answer
With AD you have two credential options, either the plaintext password, or the NT-Password (MD4 hash of the password). With plaintext auth you can use an LDAP authenticated bind to validate the credentials.
With the NT-Password you'd need to run MSCHAPv2 as the authentication method, and use something like winbindd (samba) to join the the AD domain.
The immediate issue in your case however, is you're using CHAP, which only provides a challenge response to the RADIUS server not the cleartext password. There's no backend authentication mechanism in AD that supports RADIUS CHAP authentication, so if you want this to work, you'll need to convince your NAS (Network Access Server) to perform either PAP (for cleartext auth with authenticated bind), or MSCHAPv2 (with for winbind based auth).