Active Directory authenticated VPN

Pisch Tamás pischta at
Tue May 4 11:36:57 CEST 2021

> > Why vpn at doesn't work?
>   Because Active Directory is too dumb to notice that it's responsible for
> "".
>   The solution is two steps:
> 1) edit proxy.conf, and add:
> realm {
> }
>   That defines the domain as something that FreeRADIUS knows about.  So
> that it will take "vpn at", and split it into pieces.
> 2) set
> winbind_username = "%{%{Stripped-User-Name}:-%{mschap:User-Name}}"
>   Which says "use the Stripped-User-Name ("vpn" here), and if that doesn't
> exist, use %{mschap:User-Name}
Thanks, the authentication works now.
Next step would be the user filtering, based on vpnusers Active Directory
group. You said:

> You just need to enable TLS transport in the LDAP module.  You don't
> necessarily need a client cert.
In the ldap module:
tls {
start_tls = yes
group {

membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
Then the freeradius server says:
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLS: can't connect: (unknown error code).
rlm_ldap (ldap): Could not start TLS: Connect error

I ran certs/bootstrap
In radiusd.conf:

certdir = ${confdir}/certs

cadir = ${confdir} /certs
In the ldap module:

ca_file = ${certdir}/ca.pem

ca_path = ${certdir}

certificate_file = ${certdir}/server.crt

private_key_file = ${certdir}/server.key

random_file = /dev/urandom

Freeradius server:

TLS: could not use private key: The requested data were not available. (-56)

rlm_ldap (ldap): Failed setting connection option new TLS context: Unknown



More information about the Freeradius-Users mailing list