Degradation of service when authentication fails with Windows AD

Antonio Alberola aalberola at
Thu Feb 7 10:51:52 CET 2013

> The PAM APIs are synchronous, and don't offer timeout options.
> It's not possible to timeout a PAM call; FreeRADIUS is entirely
> at the mercy of PAM.
> Don't use PAM, it's not suitable for your needs. Use "ntlm_auth",
> and FreeRADIUS can timeout the call.

We migrated to PAM when the problems started. Previously we used "ntlm_auth"
and the problem appeared more frequently. I also recommended using
PAM-Kerberos because they said it was better integrated with Windows.
Is "ntlm_auth" the best way to authenticate with Windows AD? We have several
domains to authenticate and need stability in case one of them does not

More information about the Freeradius-Users mailing list