Quick question regarding FR auth against MS AD

275972560 at qq.com 275972560 at qq.com
Wed Apr 21 04:30:55 CEST 2021

Hello, FR Users

I recently built a lab environment which I want to test 802.1x dynamic vlans
features on our network facility. FreeRadius as the radius server in this
lab, we don't use users file, we want FR to use MS AD 2016 as external user
source, preferred PEAP+mschapv2.

In my lab, I followed guide of this site
http://deployingradius.com/documents/configuration/active_directory.html and
the following tested ok..

 1. We configed ntlm_auth auth to get NTkey from MS AD for autheticcation,
this working fine, in lab I installed FR in ubuntu, but I realize in our
production environment, we use FreeRadius in pfsense OS, so it looks
impossible because pfsense doesn't provide samba and krb packages.
 2. we also tested use LDAP bind against AD for authentication, this is
tested both worked both in FR in ubuntu and pfsense, however again, this is
limit to EAP-ttls + PAP authentication method, not preferred auth method.

but I was told by one of my colleagues that he did succeed peap&mschap in
Freeradius package in pfsense, I was confused how did he do that, because I
read discussion that MS AD will never disclose NTHASH through ldap protocol,
the only way is join windows domain and get NTKEY with samba, so my question
of this post is: 
 with requirement of PEAP&MSCHAP, is there a third way of getting Freeradius
working with MS AD in pfsense OS? (without samba/krb support in pfsense) or
did I miss something in FreeRadius configuration? 
Thanks in advance.

More information about the Freeradius-Users mailing list