Re: How does IAS authenticate using Active Directory
From: Andrew (abartlem_at_vasco.com)
Date: 11/25/04
- Next message: Sam Salhi [MSFT]: "Re: How does IAS authenticate using Active Directory"
- Previous message: Ralf Laemmermeyer: "Re: ReasonCode=97 with netgear and intel"
- In reply to: Sam Salhi [MSFT]: "Re: How does IAS authenticate using Active Directory"
- Next in thread: Sam Salhi [MSFT]: "Re: How does IAS authenticate using Active Directory"
- Reply: Sam Salhi [MSFT]: "Re: How does IAS authenticate using Active Directory"
- Messages sorted by: [ date ] [ thread ]
Date: 25 Nov 2004 14:45:22 -0800
now since we now know that IAS needs to retreive the user's password
in some form from the operating system, how does IAS retrieve this
password from Active Directory?
"Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message news:<uZ#77ok0EHA.2156@TK2MSFTNGP10.phx.gbl>...
> It's well documented how the password is transmitted. Once IAS gets that, it
> uses that password to authenticate the users
>
> from RFC2865:
> For CHAP, the NAS generates a random challenge (preferably 16 octets)
> and sends it to the user, who returns a CHAP response along with a
> CHAP ID and CHAP username. The NAS then sends an Access-Request
> packet to the RADIUS server with the CHAP username as the User-Name
> and with the CHAP ID and CHAP response as the CHAP-Password
> (Attribute 3). The random challenge can either be included in the
> CHAP-Challenge attribute or, if it is 16 octets long, it can be
> placed in the Request Authenticator field of the Access-Request
> packet. The NAS MAY include the Attributes Service-Type = Framed-
> User and Framed-Protocol = PPP as a hint to the RADIUS server that
> PPP service is expected.
>
>
>
> The RADIUS server looks up a password based on the User-Name,
> encrypts the challenge using MD5 on the CHAP ID octet, that password,
> and the CHAP challenge (from the CHAP-Challenge attribute if present,
> otherwise from the Request Authenticator), and compares that result
> to the CHAP-Password. If they match, the server sends back an
> Access-Accept, otherwise it sends back an Access-Reject.
>
>
>
>
> In other words, the RADIUS server MUST have the password at hand to
> authenticate the user. in both cases.
> (in pap Radius has the actual password, in chap, Radius uses the hash, which
> it uses to compare with the hash it knows)
>
> --
> =============================================
> This posting is provided "AS IS" with no warranties, and confers no rights
>
> Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and
> troubleshooting RADIUS using IAS"
> This chat will help you resolve all of your RADIUS/IAS issues. You can ask
> about RADIUS, IAS, 802.1x, Active directory configuration and Certificate
> services, related to IAS and RADIUS
> Follow this link to join the chat
> http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
> =============================================
>
- Next message: Sam Salhi [MSFT]: "Re: How does IAS authenticate using Active Directory"
- Previous message: Ralf Laemmermeyer: "Re: ReasonCode=97 with netgear and intel"
- In reply to: Sam Salhi [MSFT]: "Re: How does IAS authenticate using Active Directory"
- Next in thread: Sam Salhi [MSFT]: "Re: How does IAS authenticate using Active Directory"
- Reply: Sam Salhi [MSFT]: "Re: How does IAS authenticate using Active Directory"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
