Limitation of authenticating against AD

Stefan Paetow Stefan.Paetow at
Wed Sep 3 18:46:08 CEST 2014

> Thanks. Yes we have to configure FreeRadius server to use ntlm_auth. But
> my problem is that our AD does not store passwords in NT hash format. They
> use SHA1 hash or crypt'd format.

Are you SURE that's ActiveDirectory? AD only supports NT Hash and LM Hash. But if you have Active Directory that has its groups pushed to other LDAP servers (like OpenLDAP), then SHA1 is a possibility. If that is the case, try authentication against the REAL domain controller for the domain, not one of the other LDAP instances.

You can try binding to the LDAP instance as user, but then you are limited to PAP and its tunnelled versions (via EAP-TTLS or EAP-TTLS/EAP-GTC) as per the compatibility matrix that you referred to.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

More information about the Freeradius-Users mailing list