All, I've been struggling to get AD authentication working the way i want it. I wanted users to autom. login to the wireless network with their windows(ad) account without needing to enter their passwords. I created this procedure with bits and pieces i found on the internet, hints i got on this list and some things i found out myself. I hope this saves some time to others(as this was a popular question the list/google, but i didn't found the complete solution that worked for me). If there are better options then the ones i used let me know. I changed ipaddresses and realm names for privacy reasons, but if there's something not clear anymore let me know. 1. General config needed for 802.1X I added the AP in the clients.conf file. I configured the AP to use WPA2/aes (also had to add WPA/tkip). I entered the radiusserver i used below as radius server(enabled 802.1X on the AP) and used the secret i configured in the clients.conf file. freeradius+AD windows 2003 install samba(package samba+samba-common+samba-client) configure /etc/samba/smb.conf: [root@radsv samba]# cat smb.conf realm = DIVISION.DOMAIN.NET workgroup = division.domain.net security = ADS encrypt passwords = yes password server = 192.168.100.3 # idmap uid and idmap gid are aliases for # winbind uid and winbid gid, respectively idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes [test] comment = Samba functionality test directory path = /home/sambatest read only = no browsable = yes writable = yes guest ok = yes valid users = @DIVISION.DOMAIN.NET\"Domain Users" [root@radsv samba]# configure /etc/krb5.conf [root@radsv samba]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = DIVISION.DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc [realms] DIVISION.DOMAIN.NET = { kdc = 192.168.100.3:88 admin_server = 192.168.100.3:749 default_domain = division.domain.net } [domain_realm] .division.domain.net = DIVISION.DOMAIN.NET division.domain.net = DIVISION.DOMAIN.NET [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [root@radsv samba]# configure nsswitch.conf: change following entries in nssswitch.conf: passwd:files -> passwd:files winbind group:files -> group:files winbind join the radius server to the domain (account wireless-acount needs to be created and should have enough rights on AD) #net ads join -S 192.168.100.3 -U wireless-account Configure freeradius: Add user to /etc/raddb/users file(if you use it for 802.1X you prob. also want to add vlan assignment entries): [root@radsv raddb]# cat users|grep -i user123 user123 [root@radsv raddb]# Add realm(s) to /etc/raddb/proxy.conf file (add here all your aliases of your domain): realm DIVISION.DOMAIN.NET { type = radius authhost = LOCAL accthost = LOCAL } realm DIVISION { type = radius authhost = LOCAL accthost = LOCAL } Configure /etc/raddb/radiusd.conf (change/activate mschap part): mschap { authtype = MS-CHAP use_mppe = yes require_strong = yes with_ntdomain_hack = yes require_encryption = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Configure eap.conf: Uncomment tls keys(for production you should create your own!!). tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551