3.58. <AuthBy LSA> Previous topic Parent topic Child topic Next topic

This module provides authentication against user passwords in any Windows Active Directory or NT Domain Controller, by using the Windows LSA (Local Security Authority). Since it accesses LSA directly, it can authenticate dial-up or wireless passwords with PAP, CHAP, MSCHAP, MSCHAPV2, LEAP, and PEAP.
<AuthBy LSA> is only available on Windows 7/8/8.1/10 and Server 2008/2012/2016, home editions are not supported. It requires the Win32-Lsa Perl module from Open System Consultants.
To install the Win32-Lsa Perl module for ActivePerl or Strawberry Perl from the Radiator distribution's ppm\activeperl\ or ppm\strawberryperl\ directory:
ppm install Win32-Lsa.ppd
To use <AuthBy LSA>, Radiator must be run on Windows as a user that has the ‘Act as part of the operating system's security policy (SE_TCB_PRIVILEGE) enabled. This is not possible with Home editions.
Tip
Users can only be authenticated with <AuthBy LSA> if they have the ’Access this computer from the network’ security policy enabled (this is the normal configuration for Windows Domains). <AuthBy LSA> honours the Logon Hours, Workstation Restrictions and ‘Account is Disabled’ flags in user accounts.
Tip
CHAP passwords can only be authenticated if the user has the ‘Store password using reversible encryption’ option enabled in their Windows Account. CHAP challenge must also be 16 octets long. This is the default for the most CHAP implementations.
Tip
See goodies/lsa.cfg and goodies/lsa_eap_peap.cfg for examples on how to configure Radiator to authenticate PAP, CHAP, MSCHAP, MSCHAPV2, LEAP and PEAP against Windows user passwords.
Tip
If you are running Radiator on Unix or Linux, and wish to authenticate to Windows Active Directory or to a Windows Domain Controller. For more information, see Section 3.72. <AuthBy NTLM>.