captive portal auth with freeradius

Chitrang Srivastava chitrang.srivastava at
Fri Apr 19 14:45:09 CEST 2013

LDAP server or AD , has password stored as NTLM-Hash, and that's why I set
PEAP-MSCHAPv2 as auth type (finally using ntlm_auth to authenticate), All
this works fine when a wifi acces point is configured to do MSCHAPv2 or
even with radtest it worked.
Only when access point is open and captive portal method is enabled ,
having issue.

tried what Matthew suggest  , in authorize section and it worked. Whole
issue is captive portal is sending a non-EAP message with User-Password set
, in this case we have to set auth type as ldap.

 if (!EAP-Message && User-Password) {
    update control {
      Auth-Type = ldap_secondary

Though unrelated to freeradius , I guess this is what happening for my

On Fri, Apr 19, 2013 at 5:34 PM, Alan DeKok <aland at>wrote:

> Chitrang Srivastava wrote:
> > After that it started working  i.e. auth by binding to the ldap server
>   So... the LDAP server is probably active directory.  Or, there are
> security settings on it which means FreeRADIUS can't read the password
> from LDAP.
>   Which one is it?
> > But my question is auth by binding to ldap server is good enough to
> > authenticate ?
>   No.  That's the whole reason people use FreeRADIUS.  Because it
> authenticates people.  LDAP is a database, not an authentication server.
> > because I expected authentication via mschapv2 or gtc
> > (whatever i configured) , radtest and wifi authenticate like that . I
> > guess its not in control of radius since captive portal is not sending
> > EAP message. Does all other captive portal server works like that with
> > radius ?
>   No.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list