LDAP and AD authentication on the same FreeRadius server

Denis CLAVIER dclavier at i-tracing.com
Mon Jul 23 17:14:48 CEST 2018

Hi Alan,

Thank you for your quick answer. 

Your solution is exactly what I wanted to do. I tried it and it works well. I knew that proxy.conf could redirect on the local server but I did not know the syntax to retrieve the domain and update the Auth-Type. Thanks again :)



----- Mail original -----
De: "Alan DeKok" <aland at deployingradius.com>
À: "freeradius-users" <freeradius-users at lists.freeradius.org>
Envoyé: Lundi 23 Juillet 2018 15:06:11
Objet: Re: LDAP and AD authentication on the same FreeRadius server

On Jul 23, 2018, at 5:26 AM, Denis CLAVIER via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I am trying to set up a FreeRadius server for a VPN connection used by users stored in an LDAP or in an AD. I succeeded to authenticate on LDAP and on AD separately with the two following radtest commands : 
> LDAP : radtest dclavier "password" localhost 0 testing123
> AD : radtest -t mschap dclavier "Password1234*" localhost 0 testing123
> However, I would like to configure the FreeRadius server to authenticate users on LDAP or AD, based on the realm. For example, user dclavier at ldap.com should use ldap authentication, and dclavier at ad.com should use mschap authentication (or ntlm_auth) without specifying which method to use. So, I would like FreeRadius to choose the right Auth-Type according to the realm. At least, I would like FreeRadius to try the second auth-type if the first failed.

  It's better to do it right the first time.  Getting it wrong and doing something else is bad.

> I looked at the proxy.conf file to perform what I want, but I can't find how to specify the auth type for each realm.

  You have to put that together yourself.

  FreeRADIUS gives you the tools to solve problems.  It doesn't give you every solution to every possible problem that everyone can have.

> So I would like to know if it is possible to perform authentication for users from LDAP and users from AD with only one FreeRadius server. If yes, I would be happy if you can suggest how to do it.

  Configure the two realms:

ldap.com {


  This tells the server that the realms exist, but that they shouldn't be proxied anywhere.  The documentation in "proxy.conf" should give you more guidance here.

  Then, in the "authorize" section, after the "suffix" module, do:

	if (Realm == "ldap.com") {
		update control {
			Auth-Type := "ldap"
	elsif (Realm == "ad.com") {
		update control {
			Auth-Type := "ad"


  Alan DeKok.

List info/subscribe/unsubscribe? See https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeradius.org_list_users.html&d=DwIGaQ&c=S0GBjLWEy_0iewzdNl71utYJrfZn9LGglyvXCNv52BA&r=TmpxRetpKPZFIeIgEOaGEvjuCUYHud9_hZS_TAV75hY&m=M3pUpR5PJWnklgOqKBao2VKj4-UNpDvxZ1XX77Y6RYU&s=4NOI2KFCqeRZlzenZgpvEvZDBI-AumNSP4YRKZhk37k&e=

More information about the Freeradius-Users mailing list