Freeradius + AD authentication passing Domain+User

Alejandro Cabrera Obed aco1967 at
Wed Jun 21 20:12:49 CEST 2017

Dear Alan, I'm following your guide "Configuring Authentication with Active
Directory" (
directory.html) in order to analyze my configurations issues.

Please I will show you the most important parts of the tutorial, and I will
tell you what I put or what I get from the tests, so you can comment below
if you can:

*1) Configuring Freeradius to use ntlm_auth, in

exec ntlm_auth {
                wait = yes
                program = "*/usr/bin/ntlm_auth* --request-nt-key
<http://DOMAIN.COM>* --username=%{mschap:User-Name}

But in /etc/freeradius/sites-enabled/default and inner-tunnel, I have not
the following authenticate sections at all:

authenticate {

If I have to put them, what do I have to add in the "..." lines you don't

*2) After that, you recommend to use the testing command:*

$ radtest *user* *password* localhost 0 testing123

This user correspond to my domain "DOMAIN.COM", or is a local user in order
to test the config ???

*3) Configuring Freeradius to use ntlm_auth for MSCHAP*

In /etc/freeradius/modules/mschap file I put:

ntlm_auth = "*/usr/bin/ntlm_auth* --request-nt-key
<http://DOMAIN.COM>*} --challenge=%{mschap:Challenge:-00}

After that I start the Freeradius service in debug mode, and I use radtest
command to send a MSCHAP authentication request. I have Freeradius 2.2.5,
so I execute:

$ radtest -t mschap bob hello localhost 0 testing123

Is bob/hello a username/password from DOMAIN.COM ???

If I execute this in this way:

Sending Access-Request of id 220 to port 1812
        User-Name = "alejandro at <alcabrera at>"
        NAS-IP-Address =
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
        MS-CHAP-Challenge = 0xdb6688ffc58b6208
        MS-CHAP-Response = 0x0001000000000000000000000000
ad_recv: *Access-Reject* packet from host port 1812, id=220,
        MS-CHAP-Error = "\000E=691 R=1"

Please I'll be waiting for your feedback, special thanks !!!


2017-06-15 14:05 GMT-03:00 Alan DeKok <aland at>:

> > On Jun 15, 2017, at 12:22 PM, Alejandro Cabrera Obed <aco1967 at>
> wrote:
> >
> > Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi
> users
> > from cell phones and notebooks.
> >
> > In the case of cell phones, the users type the corresponding usernames
> and
> > passwords and after that Freeradius passes it to the AD and everything
> > works OK.
>   That's good.
> > In the case of the notebooks, the Windows users are logged into our DC
> > domain, then they type the username or username at domain or
> domain\username
> > with the corresponding passwords but in theses cases they can't
> > authenticate against the AD (there is a reject message in the Freradius
> > log).
>   So... what is the reject message?
>   Please post the full debug output as suggested in the FAQ, "man" pages,
> wiki, and daily on this list.
> > In case they are not logged into the domain, and they are local users
> > in the notebooks, if they type just their usernames (without domain) they
> > authenticate OK.
>   That's good.
> > So how can I authenticate Windows users against the AD when they are
> logged
> > into the domain??? Do I have to define a special directive in a config
> file
> > from freeradius, winbind or samba?
>   It's not magic.  But it DOES require that you read the debug output.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> list/users.html

 //  Alejandro   //

More information about the Freeradius-Users mailing list