PAP authentication to Active Directory

Phil Mayers p.mayers at
Wed Jul 13 19:25:03 CEST 2011

On 07/13/2011 06:04 PM, Axford M.F. wrote:
> Hi
> I'm currently setting up a radius server to authenticate EAP based requests against Active Directory.
> Using Alan Dekok's guide I've got this authenticating mschap based EAP requests successfully.
> I also want to authenticate ttls/pap requests and I've found two ways to do this that seem to work.
> Method 1 is based on whats in
> Method 2 is to use LDAP for pap authentications.
> All things being equal my preference is to use Method 1 as it keeps all authentications the same, however the:
>          if (!control:Auth-Type) {
>                  update control {
>                          Auth-Type = ntlm_auth_pap
>                  }
>          }
> In the inner-tunnel/authorize section seems a bit like a hack. Is there a better way to do this ?

We do this:

server inner-tunnel {
   authorize {
   authenticate {
     Auth-Type PAP {

...which is, in it's own way, a hack (run the "pap" module to set the 
Auth-Type, run a different module to service it). Your solution isn't so 
bad; the "pap" module itself basically only does this internally:

if (!control:Auth-Type && User-Password) {
   update control {
     Auth-Type := PAP

> Is either method particularly better than the other ?

There might be circumstances in which LDAP is better; but knowing how 
the protocols works and the failure modes of the two modules in 
FreeRADIUS, I doubt it.

It also means you don't need a username to bind to LDAP for you; which 
is just another bit of config to get wrong, out of data, expired 
password, or compromised...

If you don't need LDAP for other reasons (e.g. groups) then don't bother 
with it.

More information about the Freeradius-Users mailing list