Active Directory authenticated VPN

Alan DeKok aland at
Thu Apr 22 15:36:50 CEST 2021

On Apr 22, 2021, at 9:07 AM, Pisch Tamás <pischta at> wrote:
> I would like to set up VPN on a Samba DC (Debian Bullseye). I could set it
> up with ntlm_auth, but I read that ntlm_auth may serve about 30 request per
> second maximum, and uses smbv1.
> I would like to filter users by group or msNPAllowDialin AD property.
> I can use:
> winbind_username = "%{mschap:User-Name}"
> winbind_domain = "%{mschap:NT-Domain}"
> in mschap, but how I can filter users?

  Use LDAP group checking.  The "winbind" feature just does authentication.  It doesn't do anything else.

  See the LDAP-Group documentation for how to use LDAP groups.  In recent versions of the server, there are even pointers to this in mods-available/ldap

  Alan DeKok.

More information about the Freeradius-Users mailing list