Free radius authentication with AD using ldap

Fajar A. Nugraha list at
Mon Nov 28 06:44:10 CET 2011

On Mon, Nov 28, 2011 at 12:29 PM, Vikashgounder
<Vikash.gounder at> wrote:
> From the local radtest I can see, it is authenticating fine but when testing

... and where is the debug log for that?

> with a wpa device, this is the error m getting on the debug log:

It's quite informative, actually:

[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure
that the user is configured correctly?

If you use AD as ldap, the user password is not accessible in any ldap
attribute. Thus you normally have to use ntlm_auth. See
(old version, but some of it might be still relevant)

Some other thing to check:
- Are you setting Auth-Type manually? You shouldn't need to
- If you REALLY have radtest working, then it's usually a matter of
making sure configuration in sites-available/default (the one used if
you use PAP directly, e.g. with radtest) is also in
sites-available/inner-tunnel (the one used to handle AAA inside EAP
tunnel, like when you use EAP-PEAP-MSCHAPv2)


More information about the Freeradius-Users mailing list