FreeRadius unable to read password from LDAP query to win2008 AD

Phil Mayers p.mayers at
Thu May 17 21:37:40 CEST 2012

sonyisda1 <esj at> wrote:

>Using FreeRadius on Ubuntu 12.04
>FreeRadius is communicating with Windows 2008 R2 Active Directory
>I have MS-CHAP authentication working fine.  This is used for VPN.
>I am setting up LDAP authorization and CHAP authentication.  This will
>used for router login.  The router has the radius configuration
>pointing to
>FreeRadius box.
>From the logs, the LDAP authorization appears to bind correctly but is
>unable to retrieve a clear password for the user account and thus user
>cannot be authenticated with CHAP.

Active directory does not *have* plaintext passwords. Even the ones it does have (nt hash) cannot be read out via ldap or any other method (short of rooting the box).

Therefore, chap against ad ldap is impossible. See the protocol compatibility guide on
Sent from my phone. Please excuse brevity and typos.

More information about the Freeradius-Users mailing list