Freeradius in dmz (not joined to AD) and authorization from AD LDAP

Matthew Newton matthew at
Tue Apr 25 10:06:17 CEST 2017

On 25 April 2017 08:45:49 BST, chose <chose at> wrote:
> is it able to authorize users from Windows AD LDAP from Freeradius in 
>DMZ zone without joining AD (security reasons).

Yes, with limitations, depending on your situation.

> I found that there is 
>problem with passwords hash, freeradius gets password in mschapv2

Because AD won't give you the password hash in the LDAP response, the only option you have got is to attempt to bind, which needs a clear password. So doing this means you're limited to PAP based methods.


More information about the Freeradius-Users mailing list