How do I set up simple AD integration?

Josh Howlett josh.howlett at
Wed Apr 12 12:48:04 CEST 2006

Burton, Steven wrote:
>> -----Original Message-----
>> From:
>> at l
>> ists.freer
>> [mailto:freeradius-users-bounces+sburton=shepherd-construction
>> at lis
>>]On Behalf Of Alan DeKok
>> Sent: 11 April 2006 16:28
>> To: FreeRadius users mailing list
>> Subject: Re: How do I set up simple AD integration? 
>> "Burton, Steven" <sburton at> wrote:
>>> This stanza is a enclosed with the mschap section, still 
>> nothing ventured....
>>> I changed the line and unfolded it and ran radiusd -X. The first
>>> request didn't match anything usefull and was rejected by System. I
>>> tried again but ticked the box 'CHAP' on NTRadPing and got the
>>> output:
>>   You can't do CHAP to MS AD.  It's impossible.
>>   Alan DeKok.
> My bad! I'd been staring at mschap all day and I saw chap and thought mschap.
> I still hope to get 802.1x working with FR before I'm told to stop wasting time and buy something :-) but after two and a half days (on and off) I'm no closer.


I strongly suggest you start off doing PEAP against the 'users' file, 
and once that's working get the domain stuff working.

It sounds to me like you're trying to do too much at once, and too many 
things are broken for you to know where to start!

Once you've got PEAP working against the 'users' file, create a machine 
account in the AD for the RADIUS server (using the Samba tools) and then 
use the ntlm_auth program (that comes with Samba) to test standard 

Once you've got that far, it's just a matter of configuring FreeRADIUS 
to use ntlm_auth. But you can worry about that later :-)

This isn't difficult, it's largely a matter of making sure you do the 
right steps in the right order...

best regards, josh.

More information about the Freeradius-Users mailing list