Active Directory with NTLM_AUTH

Garber, Neal Neal.Garber at
Fri Oct 13 07:27:55 CEST 2006

> I also need to check that the user is a member of a particular group
> in Active Directory before Access-Accept is sent - do I fall back to
> LDAP for this?

You can use LDAP in the authorize section to accomplish this.  Is the
group name you are checking against static?  Is it
sometimes/always/never the primary group for the user?

> I have had LDAP only working with PAP, but am stuck with getting it to
> work with MS-CHAP.

You can't use LDAP with MS-CHAP.  Use the mschap module to do the
authentication.  Look at the comments in radiusd.conf to see how to use
ntlm_auth via the mschap module of FR.

More information about the Freeradius-Users mailing list