Clarification / Confirmation needed re: FreeRadius against ActiveDirectory

Alan DeKok aland at
Wed Mar 2 07:42:28 CET 2011

Moe, John wrote:
> Yeah, the information in that one is, as you said, simple and "just enough".
> However, it doesn't address either of the two questions I asked.
> 1) Is setting "Auth-Type = ntlm_auth" the correct way for doing what I want,
> or have I mis-configured something so that FreeRadius could work out that it
> needs to use ntlm_auth on its own?

  In this case, it won't work out that it needs to use ntlm_auth.  This
is because ntlm_auth is an "authentication oracle".  i.e. *it* is doing
the authentication, not FreeRADIUS.  This is just like proxying.  The
home server does the authentication, but the proxy needs to be told when
to proxy.

  Even with that, I'm not sure why you're asking this question.  The web
page clearly describes when to use "Auth-Type = ntlm_auth", how it
works, and what effects it will have.  What part of that is not
applicable to what you want to do?

> 2) How do I match a rule against AD Group membership?  This one was answered
> in a previous reply, and I think I can work out the implementation details
> from there, I just need to do some work and testing.

  You can configure AD as an LDAP server, and use the LDAP-Group
attribute for group membership checking.  See doc/rlm_ldap, and LDAP in
the Wiki.

  Alan DeKok.

More information about the Freeradius-Users mailing list