Active Directory authentication question

stefan.paetow at stefan.paetow at
Thu Sep 19 12:44:49 CEST 2013

> What I mean is that EAP-TLS is easier to me than AD authentication at
> this point, because I've just put it to work...and if I want to use AD
> auth I have to take EAP-TLS out and start again with NTLM / AD
> it OK ???

Roberto, you don't have to remove EAP-TLS to support NTLM/MS-CHAPv2 authentication. What you can do in eap.conf is specify which EAP type you want to use by default. If you prefer EAP-TLS, you can specify default_eap_type = tls. But if the client does not support that and asks for EAP-TTLS or PEAP instead, then, if your server is configured correctly, it can support those additional types too. 

For NTLM authentication, what you *do* need is to add your FreeRADIUS machine to the Windows 2012 domain. Since you're on a flavour of Unix/Linux, you need to install Samba on your Linux box and configure it to talk to the Windows 2012 domain controller (via Kerberos).

You may want to read this page, which describes how we've made authentication against Active Directory work with PEAP (specifically PEAP with EAP-MSCHAPv2) and EAP-TTLS with EAP-MSCHAPv2:

We don't use PEAP and don't have any test clients that support PEAP, but EAP-TTLS/EAP-MSCHAPv2 works splendidly (which is good enough for our purposes and is widely supported by Windows clients).

You can use rad_eap_test (there is information about this on the link above, including how to build the binary) to specify which EAP method you want to use and then which inner authentication to use (where applicable). So you can leave your existing setup (I assume default_eap_type is 'tls') alone and still test your NTLM authencation. 

Folks, feel free to correct... but that's what worked here.


This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom

More information about the Freeradius-Users mailing list