So, after some fiddling, I can now authenticate users of our network gear (network admins) with AD, via freeradius. Thank you to any and all who have made that possible. It is truly appreciated. Arriving here, I just wanted to ask if there is any document discussing any additional risk or exposure for the AD-accounts by doing this. Note: I am not trying to imply there is one, nor am I trying to sell five feathers as whole chicken in a bag or however that analogy goes. I am merely acknowledging my relative ignorance w.r.t. how AD and RADIUS works and what security mechanisms it has in place for preventing abuse. From the top of my head: - Can someone use freeradius for unlimited tries at guessing an AD password? - If the radius secret becomes known to a bad actor, could they set up a 'farm' of radius clients in the defined client address spaces to bypass rate limits? - And likewise, could they instrument their radius client to reveal more information than we intend to? - Is there a better way to define clients than defining static hosts or networks in clients.conf? (We have an IPAM with an API. Could we employ this to only permit radius requests from known (expected) radius clients?) And I am certain there are more questions I should be asking. Conscious Incompetence and all that jazz.... Thanks, Dag B