Active Directory authenticated VPN

Alan DeKok aland at
Wed Apr 28 17:14:56 CEST 2021

On Apr 28, 2021, at 3:51 AM, Pisch Tamás <pischta at> wrote:
> I purged my configuration and started it again from the default state. The
> system is Debian Bullseye.

  That should work much better.

> Why vpn at doesn't work?

  Because Active Directory is too dumb to notice that it's responsible for "".

  The solution is two steps:

1) edit proxy.conf, and add:

realm {

  That defines the domain as something that FreeRADIUS knows about.  So that it will take "vpn at", and split it into pieces.

2) set

winbind_username = "%{%{Stripped-User-Name}:-%{mschap:User-Name}}"

  Which says "use the Stripped-User-Name ("vpn" here), and if that doesn't exist, use %{mschap:User-Name}

  That should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list