How-To for setting up ldap for Active Directory

Lord Felix felix107 at
Mon Sep 8 10:14:31 CEST 2014

Hi Everyone,

I'm new to freeRadius and I've been reading some of the mailing list e-mails. 

I've got freeRadius with Cento 6 which is version 2.1.12 installed.

So I've followed the instructions for getting freeRadius working ntlm_auth with Windows 2012 Active Directory, based on the link below:

Everything works great! 

The only issue is now I need Dynamic Vlan working and I also need to look up mac address via from a mssql database to validate the user to allow access to the network. 

After reading more about ntlm_auth, it will only respond to true or false and this method  doesn't really help with want I want to accomplish.

What I need to do is based on what group the user belongs to, they are assigned to that specific vlan. i.e. if you are a staff you go to VLAN 7 and if you are a student you go to vlan 9.

Is there any How-To guide for setting up ldap for Active Directory just like the link above? 

I've tried to setup the ldap module and I'm running into issues. 

This is how my ldap config looks like:

ldap {
        server = ""
        basedn = "dc=xxx,dc=xxx,dc=xxx"
        filter = (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
        groupmembership_attribute = "Administrators"
        ldap_connections_number = 5
        timeout = 40
        timelimit = 30
        net_timeout = 10
        tls {
                start_tls = no
       dictionary_mapping = ${confdir}/ldap.attrmap
        edir_account_policy_check = no
         groupname_attribute = cn
         groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
         groupmembership_attribute = memberOf
        chase_referrals = yes
        rebind = yes
        ldap_debug = 0x0028 
        keepalive {
                idle = 60
                probes = 3
                interval = 3

Here is my debug info, and I know it's not working, because I don't even see it trying to contact the radius server, which is why I'm asking if there is quick HowTo:
rad_recv: Access-Request packet from host port 33583, id=125, length=74
        User-Name = "xxxxxxx"
        User-Password = "xxxxxxx"
        NAS-IP-Address = xx.xx.xxxx
        NAS-Port = 0
        Message-Authenticator = 0x1c451a3ee1cd4caabec9e764c4006d2b
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "xxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql]   expand: %{User-Name} -> xxxx
[sql] sql_set_user escaped user --> 'xxxxxx'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'username' ORDER BY id
[sql]   expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'xxxxxx' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User username not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> xxxxx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 125 to port 33583
Waking up in 4.9 seconds.
Cleaning up request 1 ID 125 with timestamp +2007
Ready to process requests.

Someone also posted that they can get ntlm_auth working with groups and you need to chat the stuff around? It would be great if someone can provide a how on this to work with dynamic vlan. 

Any help would be greatly appreciated. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list