MSCHAP - NTLM against groups

Alan DeKok aland at
Mon Oct 21 16:44:19 CEST 2019

On Oct 21, 2019, at 9:33 AM, Micha Ballmann <ballmann at> wrote:
> Thank you very much for your fast answer.
> There is a prefix like "--require-membership-of="
> I disabled winbind directly auth, enabled ntlm_auth and added "--require-membership-of='DOMAIN\wlan".
> It works!

  That's good.

> Is there any disadvantage to LDAP?

  If you're doing one group check,  "--require-membership-of=" is fine.  If you're doing multiple group checks, it won't work.  You'll have to use LDAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list