Freeradius 2.1.8+Windows AD+MS-CHAP with ntlm_auth

Alan Buxey A.L.M.Buxey at
Wed May 19 10:19:16 CEST 2010


> I've been working on Freeradius with XP supplicants for a while but so far I could't make it. Authentication against Active Directory works like a charm (

whats going wrong with your windows XP clients?  this isnt hard stuff really,
thousands of sites use it in this way.

> I want to authenticate several users against AD keeping in mind the following conditions:
> - Not use of certificates at all.
> - Transparent authentication of clients in wireless networks using MS-CHAPv2 (username and password they use to authenticate against AD).

as Alan has said, impossible. you will need at least one certificate to be involved - thats
the server cert.  if you are worrying about deployment of the server cert and dont care
that someone else can get such a cert then just get your server cert signed by a CA that
comes with windows as standard (eg some VeriSign or such...).  then its just a case of
configuring the eap.conf section, configuring inner-tunnel to match requirements and then
configure the windows .

choose PEAP,
-> dont login as login ID (unless login/pass is same as AD details!)
configure the trust, set the server name to the CN in your cert, tick
the correct CA

dont login as guest

...thats pretty much it.

then radiusd -X on this list if you have issues. i mean, what could go wrong?  ;-)


More information about the Freeradius-Users mailing list