freeradius + ldap (AD) + dot1x

Mathieu Simon (Lists) matsimon.lists at
Sun Jun 11 12:36:57 CEST 2017

Am 11.06.2017 um 11:41 schrieb Paweł Grzęda:
> Hello,
> Tutorial:
> I use start_tls to securely bind to LDAP (which is Samba4 AD DC) and the
> binding works, however I still can't get Access-Accept message. I think
> my problem is related to clear-text passwords (warning about no known
> good password), however I don't know how to fix it. Is it a way to
> configure this to be securely?
Assuming Samba 4 tries to work and behave like AD on Windows Server I
imagine it does the same by default:

"Active Directory does not allow FreeRADIUS to query the user's password
via LDAP, or LDAPS." (Alan D. on a thread only a couple of days before)

I haven't confirmed this since I did never use FR with a Samba 4 Domain,
but only with Windows-based AD services. Though there seems to be a
possibility to permit it by an ACL in smb.conf to allows this.

By default I'd assume like with a Windows AD: Join the FR server to your
Samba 4 AD domain and use NTLM authentication (like mentioned in your
linked page).

You'd have to select between the older method using ntlm_auth, oder
directly via Winbind. (read the config file for the mschap module)

Have a look on integrating with a Windows-based AD:

Good luck.

-- Mathieu

More information about the Freeradius-Users mailing list