infamous AD integration

Matthew Newton mcn4 at
Thu Jun 16 17:21:10 CEST 2016

On Thu, Jun 16, 2016 at 04:05:49PM +0100, lejeczek via Freeradius-Users wrote:
> what I don't get is - this is radtest but how does it matter to
> a radius clients, say a net switch? Do all the clients have to
> specify auth method?

Clients send different types of authentication to the RADIUS
server. You need to know what your clients are doing.

Yes, the client drives which auth method is used.

> I thought we configure this different "backends" so radius
> server will traverse them all in search of a user account of
> which client has to know none.

Of course - you have to configure the server to handle whatever
all your clients send. If the clients will send PAP requests which
you want to authenticate against AD, then you'll need to configure
FreeRADIUS to do that.

The standard "pap" module will handle PAP requests when the
password has been pulled out of a backend database (local file,
sql, ldap etc) but not AD because it won't give you access to the
password hash.

> One more thing - having mschap/ntlm I do not need to configure
> radius server to lookup AD's ldap at the same time, do I? Would
> there be a case when one would have both ntlm & ldap go to the
> same on AD?

You configure ldap lookup against AD if you want to pull back LDAP
attributes to enforce some policy. If you're just doing auth then
you likely don't need it.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list