authenticate machine accounts with ntlm_auth

Alan DeKok aland at
Fri Jul 29 19:17:00 CEST 2005

<martin.p.bradley at> wrote:
> I'm very frustrated now after spending a couple of weeks trying to get
> free radius to authenticate my Win2k machine accounts against active
> directory. :-(

  Sorry, blame Microsoft.  It isn't possible, but they don't make it
obvious that it's not possible.

> Alan, do you know of any way to get this working.  I have been assured
> that Funk can do this, have you any idea how Funk are doing it.  Funk
> costs too much.  Maybe I'm not allowed to ask such questions.

  Funk does it by running the radius server on the AD server.  At that
point, they can use *internal* Windows API's or hacks to get at the
data.  Since FreeRADIUS is running externally, it can't use those
API's, and thus won't work.

  FreeRADIUS *will* run on XP.  If someone were to write the necessary
code, you could run the server on XP, and do what Funk does.

  Alan DeKok.

More information about the Freeradius-Users mailing list