Active Directory authentication question

Roberto Carna robertocarna36 at
Wed Sep 18 16:39:40 CEST 2013

Sorry, so I'm a bit confused...

I'm using Windows 7 clients for accesing the WiFi network through
EAP-TLS with X.509 certificates. But in this way, I could see that I
can authenticate users or hosts...if I choose users, I can see a
dialog box to fill user and password and I suppose they are checked
against MySQL database (because I see the query in debug mode). Is
this correct or not ???

And finally, if I use EAP-TLS with X.509 certificates, do you mean I
don't need to use the authentication against the active directory
database ??? Maybe this is easier to me because I've put EAP-TLS to

Thanks a lot,


2013/9/18 Alan DeKok <aland at>:
> Roberto Carna wrote:
>> Dear, I have several Windows 7 clients over WiFi autheticating throug
>> EAP-TLS to a Freeradius 2.1 service against a local MySQL database, it
>> works OK.
>   EAP-TLS doesn't use MySQL for storing credentials.  Everything is in
> the certificate.
>> Now I have to change the authentication from MySQL to a remote Active
>> Directory on a Windows 2012 server.
>   FreeRADIUS is an authentication server.  MySQL is not.  It's a database.
>   Using the correct terminology menas it's easier to come up with a
> solution.  Using the wrong terminology means you're lost, and you can't
> find a solution.
>> Because I don't know so much about Windows world, I need to know if I
>> have to use NTLM, LDAP or Kerberos in order to authenticate against
>> the remote AD.
>   For MS-CHAP and PEAP, you use ntlm.  You don't have any other choice.
>   For EAP-TLS, you don't use AD or MySQL.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list