freeRadius against Active Directory

Phil Mayers p.mayers at
Tue Oct 9 11:10:47 CEST 2012

On 09/10/12 07:51, Martin.Heinzmann at wrote:
> Hi,
> I thought the whole meaning of binding a freeRadius to an Active
> Directory is that I have from now on just to configure Users in the AD.
> So every device I want to authenticate on asks the FR which then asks
> the AD. So the AD will answer if the User is valid and which
> Service-Type he has.

Service-Type is a RADIUS thing. AD is a Microsoft LDAP server & some 
other protocols. It doesn't have a Service-Type attribute. You will need 
to query AD, and define a mapping from some AD attribute to Service-Type.

You will need to use the "ldap" module for this; see in particular 
ldap.attrmap that lets you define mappings from LDAP attributes to 
RADIUS reply attributes.

Note: the LDAP bit of AD is really separate from the "authentication" 
bit. They're separate, and are configured separately.

> On my AD Server I installed the Role NPS, configured a RADIUS-Client and
> some Network Policies. Maybe I am on the right way, maybe not... :-(

I doubt it. I don't see how that would help.

> The AD succesfully tells the FR if the user is valid, just that
> Service-Type is missing.

Again - Service-Type is a RADIUS thing. AD doesn't speak RADIUS. You 
need to define a translation / mapping.

More information about the Freeradius-Users mailing list