FreeRADIUS + Microsoft Active Directory

Herwin Weststrate herwin at
Thu Jun 8 11:05:15 CEST 2017

On 08-06-17 10:55,  Konstantin Knaab-Hinrichs via Freeradius-Users wrote:
> Do I interpret this the right way?. Even if a microsoft active
> directory allows anonymous queries FreeRADIUS can't authorize using
> the active directory LDAP because of the password a user entered
> isn't verified from the LDAP?
> AP -> RADIUS (Access-Request) -> anonymous Active DIrectory
> (MS-CHAPv2) -> LDAP says something like "yes" -> RADIUS
> (Access-Accept)
> why isn't this possible?

Because you need to read the password hashes from the LDAP-server, and
that is not allowed (and shouldn't be).

Another option is to bind to the LDAP server with the user credentials,
but you'd need the plaintext password of the user in the RADIUS packet
to make that work (PAP, optionally wrapped in EAP/TTLS)

Herwin Weststrate

More information about the Freeradius-Users mailing list