One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible?

Alan DeKok aland at
Tue Dec 7 21:41:56 CET 2010

schilling wrote:
> We got ntlm_auth against AD working for PEAP, we also got separate
> server for PEAP against ldap ntPassword hash.
> ...
> Is there any way to have a virtual server(1812/1813) for
> mschapv2-ntlm_auth-AD and another virtual server(1814/1815) for
> mschapv2-ldap ntPassword hash?

  Yes.  But I don't think that's necessary.

> Here is our situation:
> We have faculty/staff in active directory.So we are using ntlm_auth
> against AD for their network authentication. Faculty/staff will sign
> on with username, it will get directed to ntpm_auth against AD.
> We have student in ldap with ntPassword but not in AD. So we would
> like to have student sign on with username at, so we can
> manipulate the radius configuration to direct username at to use
> ldap ntPassword authentication.
> Is there anyway using freeradius to accomplish this?

  Yes.  And you don't need two virtual servers.

1) edit the "authorize" section to do...
2) if people log in with "user at", run "ldap"
3)    else force "ntlm_auth"

  You might have to declare a "" realm, but that shouldn't be an
issue.  The config should really be about 10 lines changed from the default.

  Develop this by:

1) adding realm ""
2) enabling ldap
3) checking authentication

4) adding "if not realm"
5) do ntlm_auth, as per the docs, wiki, etc.

  Alan DeKok.

More information about the Freeradius-Users mailing list