Active Directory authenticated VPN

Michael Ströder michael at
Thu May 6 15:41:07 CEST 2021

On 5/6/21 3:04 PM, Pisch Tamás wrote:
> I tried it, freeradius debug message:
> SASL/EXTERNAL authentication started
> Thu May  6 14:57:03 2021 : Error: rlm_ldap (ldap): Bind with
> cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldaps://localhost:636
> failed: Unknown authentication method

It seems you set SASL mech EXTERNAL. Don't do that if you want to use
LDAP simple bind. Without seeing your config I can only guess though.

Background: LDAP knows two different method for bind operation:

1. LDAP simple bind, mainly sends the bind-DN and password. As you can
see in my ldap.simple-bind example file the line

mech = 'EXTERNAL'

is commented (disabled) and these lines are used for the simple bind:

identity = 'uid=system_radiusd,ou=ae-dir'
password = supersecret

2. LDAP SASL bind for which the message format and messages exchanged
depend on the SASL mech used. Password-less mechs are e.g. EXTERNAL and

Sending a bind operation with SASL/EXTERNAL instructs the LDAP server to
use authc credential information from a lower transport layer. IIRC MS
AD and/or Samba4 do not support that.

Typically SASL/EXTERNAL is used for authenticating with TLS client certs
to the LDAP server as in this example file:

I typically use the EAP-TLS server cert also as LDAP client cert which
is directly mapped in Æ-DIR's config to the accompanying aeService entry
(which is then authorized to search for users enabled for that service).
No way to do things like that in MS AD/Samba4.

See small description here:

>> And then starting radiusd with option -X is your friend during testing.
> Yes, I use it always.


Ciao, Michael.

More information about the Freeradius-Users mailing list