Need both Local (MySQL database) and Active directory authentications.

Alan DeKok aland at
Thu Apr 11 15:34:29 CEST 2013

ffgch2 wrote:
> I have set up Freeradius  (v.2.1.10)

  Upgrade to v2.2.0.

> to do password authentication from
> MySQL database and it works fine but now I need to make some users be
> able to authenticate against Active directory accounts. I’ve setup
> winbind to authenticate windows accounts and it works but as a result
> freeradius lost ability to authenticate by local database.

  You need to figure out when users will be checked against SQL, and
when they will be checked against AD.  Right now, you've configured
FreeRADIUS to use both.  Which isn't what you want.

> So if I comment the line:

  Don't randomly change things.  It won't work.

> Is there a way to tell mschap to use ntlm_auth depending on field in
> MySQL table and use the internal mechanisms if plain text passwords
> available in the MySQL table?

  No.  There are better ways.

  See raddb/modules/mschap.  You can control when ntlm_auth is called.

  See "man unlang".  You can configure policies.  Read the debug output.

  What you want is this:

	authorize {
		if (ok) {
			update control {
				"MS-CHAP-Use-NTLM-Auth := No


  Alan DeKok.

More information about the Freeradius-Users mailing list