Quick question regarding FR auth against MS AD

Alan DeKok aland at deployingradius.com
Wed Apr 21 22:24:04 CEST 2021

On Apr 20, 2021, at 10:30 PM, 275972560 at qq.com wrote:
> I recently built a lab environment which I want to test 802.1x dynamic vlans
> features on our network facility. FreeRadius as the radius server in this
> lab, we don't use users file, we want FR to use MS AD 2016 as external user
> source, preferred PEAP+mschapv2.
> In my lab, I followed guide of this site
> http://deployingradius.com/documents/configuration/active_directory.html and
> the following tested ok..

  That's good.

> but I was told by one of my colleagues that he did succeed peap&mschap in
> Freeradius package in pfsense, I was confused how did he do that, because I
> read discussion that MS AD will never disclose NTHASH through ldap protocol,
> the only way is join windows domain and get NTKEY with samba, so my question
> of this post is: 
> with requirement of PEAP&MSCHAP, is there a third way of getting Freeradius
> working with MS AD in pfsense OS? (without samba/krb support in pfsense) or
> did I miss something in FreeRadius configuration? 

  Install Samba on another machine, and point FreeRADIUS at that.

  There really is no other choice than to use Samba for PEAP with Active Directory.

  Alan DeKok.

More information about the Freeradius-Users mailing list