On Jun 8, 2017, at 11:18 AM, Konstantin Knaab-Hinrichs via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
My colleagues and I guessed that FreeRADIUS uses user credentials automatically if no identity is set in mods-available/ldap because we couldn't figure it out based on what's in the freeradius wiki.
FreeRADIUS uses what's available. The debug output shows what's available. If there's a User-Password in the packet, FreeRADIUS can do an LDAP bind. If there's MS-CHAP data in the packet, FreeRADIUS MUST use ntlm to AD.
Where do I recognize that this is the problem when authenticating? reading the radiusd -X output shows me a successful LDAP bind, but everything results in an Access-Reject after no answer from the Microsofft Active Directories LDAP.
Then fix AD so that it responds to LDAP queries. Even if you get the LDAP query wrong, AD *should* respond with "nothing found". That is a different error from "AD doesn't answer". Again. reading the debug output will tell you exactly what's going on. Or, if you don't understand it, post it here. Alan DeKok.