FreeRADIUS, 802.1x, and multiple user stores

Jonathan L Ocab jonathan.ocab at
Wed Aug 1 19:05:52 CEST 2012

I'm playing around with 802.1x over the wire in a development environment at work and it's pretty much functional with the Windows and OS X hosts I've been testing with (OpenLDAP as backend userstore).

My next step is getting 802.1x working such that FreeRADIUS can authenticate users to different Active Directory user stores based on the domain provided.

What would be the best way to implement FreeRADIUS such that authorization/authentication requests are confirmed against different Active Directory domains based on the domain information provided with the username?

Should I light up a new FreeRADIUS instance to correspond to each AD domain (or OpenLDAP) and proxy from the primary FreeRADIUS server handling 802.1x requests?

Or should I handle it at the site configuration level and load a different 'ldap' module based on the domain provided with the username?

Or is there another best practice?

Jonathan Ocab | jocab at
Infrastructure Security Analyst
Computing and Communications
University of California, Riverside

More information about the Freeradius-Users mailing list