FreeRADIUS + Microsoft Active Directory

Alan DeKok aland at
Thu Jun 8 17:34:41 CEST 2017

> On Jun 8, 2017, at 11:18 AM,  Konstantin Knaab-Hinrichs via Freeradius-Users <freeradius-users at> wrote:
> My colleagues and I guessed that FreeRADIUS uses user credentials
> automatically if no identity is set in mods-available/ldap because we
> couldn't figure it out based on what's in the freeradius wiki.

  FreeRADIUS uses what's available.  The debug output shows what's available.

  If there's a User-Password in the packet, FreeRADIUS can do an LDAP bind.

  If there's MS-CHAP data in the packet, FreeRADIUS MUST use ntlm to AD.

> Where do I recognize that this is the problem when authenticating? reading
> the radiusd -X output shows me a successful LDAP bind, but everything
> results in an Access-Reject after no answer from the Microsofft Active
> Directories LDAP.

  Then fix AD so that it responds to LDAP queries.

  Even if you get the LDAP query wrong, AD *should* respond with "nothing found".  That is a different error from "AD doesn't answer".

  Again. reading the debug output will tell you exactly what's going on.  Or, if you don't understand it, post it here.

  Alan DeKok.

More information about the Freeradius-Users mailing list