Limitation of authenticating against AD

Dennis Xu dxu at
Wed Sep 3 18:24:29 CEST 2014

Thanks for the information. So FreeRadius uses LDAP to authenticate against AD and LDAP cannot read the passwords in those formats. Apparently ACS has a different implementation on authenticating against AD that they don't care about the password format stored in AD:


----- Original Message -----
From: "Alan DeKok" <aland at>
To: dxu at, "FreeRadius users mailing list" <freeradius-users at>
Sent: Wednesday, September 3, 2014 12:01:53 PM
Subject: Re: Limitation of authenticating against AD

Dennis Xu wrote:
> I am looking for confirmation that because our AD stores passwords in crypt'd or SHA1 format, we cannot use FreeRadius to authenticate against our AD using PEAP and EAP-MSCHAPv2?

  No.  AD stores it's passwords in NT-Hash format.  And it does NOT
allow FreeRADIUS (or anyone) to read those passwords via LDAP.

> Is the above link still up-to-date? 


  Alan DeKok.

More information about the Freeradius-Users mailing list