FreeRadius - ActiveDirectory authentication multiple domains

Phil Mayers p.mayers at
Fri Aug 29 13:33:43 CEST 2014

On 29/08/14 12:10, Ricardo Esteves wrote:
> Hi,
> I need to setup a radius server in order to authenticate users against
> ActiveDirectory.
> But i've got one problem, my activedirectory has multiple domains, for
> example:
> Anyone has any idea on the best way to accomplish this task? Multiple
> LDAP configurations?
> For example with multiple ldap settings is there anyway to preprocess
> the autentication request with a script to find which domain the user
> belongs and then use the corresponding ldap configuration to that domain?

Your question is a bit vague, but the short (unhelpful) answer is yes. 
See the example config for the "exec" module, the documentation about 
defining module instances, and the if/switch/case statement in "man unlang".

If you want more info, you'd need to give a bit more detail before 
people could help you, such as:

  1. What authentication types (EAP, MSCHAP, PAP)
  2. Will the usernames be qualified or unqualified
  3. Are usernames unique across all domains

Note also that AD LDAP will not expose passwords or password hashes. You 
can't authenticate against it except when doing plain PAP, which are 
proxied to LDAP binds. In particular you can't authenticate EAP/802.1x 
wireless or MSCHAP (common for VPNs) against AD LDAP.

If AD LDAP isn't sufficient you'll end up needing to run multiple copies 
of Samba or deal with domain/forest trust issues, which gets complex 

More information about the Freeradius-Users mailing list