windows 2003 AD authentication with freeradius (for 802.1X)

Stieven.Struyf at Stieven.Struyf at
Thu Nov 16 12:10:20 CET 2006

I've been struggling to get AD authentication working the way i want it. I 
wanted users to autom. login to the wireless network with their 
windows(ad) account without needing to enter their passwords.
I created this procedure with bits and pieces i found on the internet, 
hints i got on this list and some things i found out myself. 
I hope this saves some time to others(as this was a popular question the 
list/google, but i didn't found the complete solution that worked for me). 
If there are better options then the ones i used let me know. I changed 
ipaddresses and realm names for privacy reasons, but if there's something 
not clear anymore let me know.

1. General config needed for 802.1X
I added the AP in the clients.conf file.
I configured the AP to use WPA2/aes (also had to add WPA/tkip).
I entered the radiusserver i used below as radius server(enabled 802.1X on 
the AP) and used the secret i configured in the clients.conf file.

freeradius+AD windows 2003
install samba(package samba+samba-common+samba-client)

configure /etc/samba/smb.conf:
[root at radsv samba]# cat smb.conf
workgroup =
security = ADS
encrypt passwords = yes
password server =
# idmap uid and idmap gid are aliases for
# winbind uid and winbid gid, respectively
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
comment = Samba functionality test directory
path = /home/sambatest
read only = no
browsable = yes
writable = yes
guest ok = yes
valid users = @DIVISION.DOMAIN.NET\"Domain Users"
[root at radsv samba]#

configure /etc/krb5.conf
[root at radsv samba]# cat /etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

ticket_lifetime = 24000
default_realm = DIVISION.DOMAIN.NET
dns_lookup_realm = false
dns_lookup_kdc = false
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc

kdc =
admin_server =
default_domain =


profile = /var/kerberos/krb5kdc/kdc.conf
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
[root at radsv samba]#

configure nsswitch.conf:
change following entries in nssswitch.conf:
passwd:files -> passwd:files winbind
group:files -> group:files winbind

join the radius server to the domain (account wireless-acount needs to be 
created and should have enough rights on AD)
#net ads join -S -U wireless-account

Configure freeradius:

Add user to /etc/raddb/users file(if you use it for 802.1X you prob. also 
want to add vlan assignment entries):
[root at radsv raddb]# cat users|grep -i user123
[root at radsv raddb]#

Add realm(s) to /etc/raddb/proxy.conf file (add here all your aliases of 
your domain):
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL
realm DIVISION {
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL

Configure /etc/raddb/radiusd.conf  (change/activate mschap part):
mschap {
                authtype = MS-CHAP
                use_mppe = yes
                require_strong = yes
                with_ntdomain_hack = yes
                require_encryption = yes
                ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 

Configure eap.conf: 

Uncomment tls keys(for production you should create your own!!).
tls {
                        private_key_password = whatever
                        private_key_file = ${raddbdir}/certs/cert-srv.pem
                        certificate_file = ${raddbdir}/certs/cert-srv.pem
                        CA_file = ${raddbdir}/certs/demoCA/cacert.pem
                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random
                        fragment_size = 1024
                include_length = yes

Stieven Struyf
M.I.S. Division - System Operations 
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
Stieven.Struyf at
Tel. +32 (0)2 2552551
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list