I was able to configure FreeRadius/AD differently than most tutorials – just using Kerberos as an authentication mechanism (sorry for any weird formatting, coming from a wiki): All sample configuration will be for cada dev ula environment *Pre-Requisite:* # You have a keytab file for the Kerberos server located at /etc/freeradius/radius.keytab # Your Kerberos principal username is 'freeradius/mat-desktop.security.lab.company.net' {code:title=Define kerberos configurations. (/etc/krb5.conf)} [realms] COMPANY.NET = { kdc = kdc01.security.lab.company.net:88 kdc = kdc02.security.lab.company.net:88 admin_server = kdc01.security.lab.company.net:749 } company.net = { kdc = kdc01.security.lab.company.net:88 kdc = kdc02.security.lab.company.net:88 admin_server = kdc01.security.lab.company.net:749 } {code} _Note: The hostnames MUST resolve through DNS (not /etc/hosts)_ {code:title=Configure the FreeRadius kdc plugin (FREERADIUS_CONFIG_DIR/modules/kdc.conf)} krb5 { keytab = /etc/freeradius/radius.keytab service_principal =freeradius/mat-desktop.security.lab.company.net } {code} {code:title=Add your domain for FreeRadius. (FREERADIUS_CONFIG_DIR/proxy.conf)} realm company.net { } realm COMPANY.NET { } {code} {code:title=Add Kerberos to possible authentication subsystems. (FREERADIUS_CONFIG_DIR/sites-available/default)} authenticate { Auth-Type Kerberos { krb5 } {code} _Note: 'Kerberos' is the string used for 'Auth-Type' RADIUS key; it can be anything, but must be matched with RADIUS attribute 'Auth-Type'_ {code:title=Set your Auth-Type for the realm to authenticate against Kerberos (FREERADIUS_CONFIG_DIR/users)} DEFAULT Realm == "company.net", Auth-Type := Kerberos DEFAULT Realm == "COMPANY.NET", Auth-Type := Kerberos {code} _Note: The ':=' means that the user MUST authenticate using Kerberos_ _Note2: Syntax for users file_ _key \[comparison to request list, assignments to control list\]_ _assignments to reply list #1,_ _assignments to reply list #2,_ _etc._ _Setting "Auth-Type := Kerberos" on the 1st line sets a control item._ _Setting it on the 2nd or subsequent lines sets it in the reply items,_ _where it's meaningless._ Mathew Rowley IIS Network Security Architecture From: Rashard Roberts <grroberts@gmail.com<mailto:grroberts@gmail.com>> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>> Date: Wed, 20 Oct 2010 17:38:30 -0400 To: <freeradius-devel@lists.freeradius.org<mailto:freeradius-devel@lists.freeradius.org>> Cc: <freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>> Subject: Freeradius + Active Directory Hello I am trying to get Freeradius to authenticate end-user using Active Directory. The end-user will be using be there AD username and password to login to network devices. Would some please help me? I have embedded a copy of the debug log from the radius server. rad_recv: Access-Request packet from host 192.168.168.252:1645<http://192.168.168.252:1645/>, id=94, length=92 User-Name = "svc-ldap-01@corp-test" User-Password = "WindowsXP!" Service-Type = NAS-Prompt-User NAS-IP-Address = 192.168.168.252 NAS-Port = 10 Calling-Station-Id = "192.168.168.194" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "corp-test" for User-Name = "svc-ldap-01@corp-test" rlm_realm: No such realm "corp-test" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 94 to 192.168.168.252 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 94 with timestamp 4cbf5aee Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.168.252:1645<http://192.168.168.252:1645/>, id=95, length=104 User-Name = "svc-ldap-01@corp-test.weather.com<mailto:svc-ldap-01@corp-test.weather.com>" User-Password = "WindowsXP!" Service-Type = NAS-Prompt-User NAS-IP-Address = 192.168.168.252 NAS-Port = 10 Calling-Station-Id = "192.168.168.194" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "corp-test.weather.com<http://corp-test.weather.com/>" for User-Name = "svc-ldap-01@corp-test.weather.com<mailto:svc-ldap-01@corp-test.weather.com>" rlm_realm: No such realm "corp-test.weather.com<http://corp-test.weather.com/>" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module "unix" returns notfound for request 1 modcall: leaving group authenticate (returns notfound) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 95 to 192.168.168.252 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 95 with timestamp 4cbf5b25 Nothing to do. Sleeping until we see a request.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html