freeradius + ldap (AD) + dot1x

Matthew Newton mcn at
Sun Jun 11 12:36:58 CEST 2017

On 11 June 2017 10:41:27 BST, "Paweł Grzęda" <pawel.grzeda at> wrote:
>I'm trying to prepare a solution which will
>provide authentication for PC/laptop's in corporate network. I need
>for Cisco switches and Ubiquiti APs/controller.

So you will be doing EAP. Have you decided what EAP methods you want to use?

>There is Samba4 configured as domain controller which is central authentication point.
>I installed Freeradius 3.0.14 on Fedora 25.


>I red all the man pages and
>documentation stored in configuration files and to be honest it's huge
>amount of information which is not clear for a newbie.

I understand. It's a big learning curve to start with.

>I also used
>tutorial which seems to be third-party, however link was on official
>freeradius wiki I think.

Well, anyone can edit the wiki, so being there doesn't make anything official. That describes LDAP against AD, which isn't a great experience. You're basically limited to EAP-TTLS/PAP, as AD won't give you the password hash.

>I use start_tls to securely bind to LDAP (which is Samba4 AD DC) and
>binding works, however I still can't get Access-Accept message. I think
>my problem is related to clear-text passwords (warning about no known
>good password), however I don't know how to fix it. Is it a way to
>configure this to be securely?

What devices are you connecting? If they are all joined to your Samba domain then presumably there is a domain certificate authority in use like real AD? In which case configure EAP-TLS with certificates and forget about LDAP. It'll be far more secure and faster to authenticate as well.

Otherwise installing Samba on your FreeRADIUS server and using ntlm_auth type methods with MSCHAPv2 is probably the only real option.


More information about the Freeradius-Users mailing list