Citando Alan DeKok <aland@deployingradius.com>:
The domain controllers are giving LDAP referrals to systems on the other side of the VPN. When the VPN is down, those systems are unreachable.
Wouldn't this prevent the users from authenticate at all when VPN is down? Most of the time they can authenticate, but sometimes are rejected in a batch and then can authenticate again
You need to reconfigure the local Active Directory servers to have copies of all of the relevant information, so that they don't give referrals to machines across the VPN. This usually means making the local AD server a global catalog server.
I am not the domain admin. All the campuses have the same AD server configuration as mine, the main campus IT staff gave us these servers already configured and we can't even login in them. A thing to mention is that other campuses uses NPS or ISE as NAC and don't have this problem when VPN is down. My campus is the only one using freeradius, that's why I thought that this could be a configuration error in my freeradius. Thanks.