PAP credentials against AD?

Guy Davies aguydavies at
Wed Feb 15 17:03:28 CET 2006

Hi Josh,

So long as the user is a valid user, it can be used to do the bind,
AFAIK.  I used to do this at the office.  Our AD Admins created a
special account with a non-expiring password but no other special
privileges to authenticate the search/bind and that worked fine.

We used to use EAP-TTLS/PAP for wireless login.  We also used the GINA
module in the 802.1x supplicant we had to authenticate prior to
completion of windows login so that login scripts worked properly too



On 15/02/06, Josh Howlett <josh.howlett at> wrote:
> Hi Stefan,
> We probably need a freeradius-eduroam list :-)
> >>Is it possible to authenticate PAP credentials from the NAS against a
> >>Windows domain using NTLM? I've tried using the mschap module, but it
> >>expects to see a Challenge that the NAS doesn't provide.
> >
> >
> > If you want to authenticate against AD and have PAP credentials available,
> > just treat the AD server like an LDAP server, i.e.: the ldap {} section is
> > for you. It will use the credentials to bind as the user to AD, and if that
> > succeeds the user is allowed in.
> I didn't realise that AD allowed authenticated binds from users by
> default. Does it require some special tweaking? Our AD admin are *very*
> cautious about who talks to it... (probably very sensible).
> best regards, josh.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list