Best FR backend authentication method for Microsoft AD

Alan DeKok aland at
Fri Jul 14 20:01:41 CEST 2017

On Jul 14, 2017, at 12:09 PM, Diggins Mike <diggins at> wrote:
> I've been running FreeRadius v2 for many years with Samba and NTLM_AUTH to authenticate my users with very few issues. I'm about to refresh my FreeRadius servers to V3 and wondered if that was still the best method to use. My organization has a number of other services using LDAP to authenticate to AD and I am considering changing to that, or at least I was until I read that this was NOT recommended.

  The issue isn't that it's "not recommended".  The issue is that it's impossible to authenticate MS-CHAP agains AD without ntlm_auth.

> If I must use the AD backend (and I must), what is the best method from a reliability, security, and performance perspective?

  If the clients are doing PAP, use LDAP and ldap "bind as user".

  If the clients are doing MS-CHAP / PEAP, use ntlm_auth.

  There really aren't any other choices.

> My FR authenticates and authorizes my Wi-Fi users (WPA2 enterprise with certs) and VPN. I also have a separate pair of FR servers for Eduroam. My AD is Windows 2016 if that helps.

  If ntlm_auth works, use it.

  Alan DeKok.

More information about the Freeradius-Users mailing list