FreeRadius + AD + Realms

Alan DeKok aland at
Wed Jun 30 09:59:08 CEST 2010

Matthew P wrote:
> I'm new to FreeRadius, so please bear with me. :)

  Good questions are a very good start.

> Goal: Make FreeRadius look-up a user in ActiveDirectory if he has "" domain.
> Used method: EAP/TTLS (PAP in the tunnel)
> This is how I've done it, but it doesn't give the wanted results, so please explain a bit. :)
> (it doesn't seem to load the local_ad virtual server configuration, which is I placed in the sites-enabled directory, it seems to just carry on executing the default server)

  If you read the start of the debug output, it *should* show it loading
the "local_ad" virtual server.  The output below shows it not *proxying*
the request to the "local_ad" virtual server.

> realm {
>     auth_pool = active_directory

  You'll need a line:


  To avoid EAP identity issues.
>     rlm_realm: Preparing to proxy authentication request to realm ""
> ++[suffix] returns updated
>   rlm_eap: Request is supposed to be proxied to Realm Not doing EAP.
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> There was no response configured: rejecting request 0

  i.e. it doesn't proxy it.

  This *does* work in 2.1.9.  So which version are you running?

  And why are you creating this complicated configuration?  The
"inner-tunnel" virtual server is set up *precisely* for this kind of
authentication.  You do EAP in the "default" server.  Then, the
"inner-tunnel" server gets the PAP password, and you can configure it to
look the user up in AD there.

  In fact, you should only need to do the following:

* start with the default config
* uncomment "ldap" everywhere in raddb/sites-enabled/inner-tunnel
* configure raddb/modules/ldap to point to AD
* ensure you have the correct certificates for TTLS
* TTLS + PAP *should* work

  The default configuration is designed to work in the widest possible
set of circumstances, with a minimal set of changes required to add any
common functionality.

  Alan DeKok.

More information about the Freeradius-Users mailing list