Using Active Directory

Owned by Stefan Paetow
Last updated: Jun 04, 2015
1 min read

FreeRADIUS fully supports the MSCHAPv2 protocol used for Active Directory authentication and deployments of FreeRADIUS with Active Directory are extremely popular.

1. Active Directory support using SAMBA

To fully support Active Directory authentication, FreeRADIUS requires the use of Samba in general, and winbind in particular.

The definitive guide for FreeRADIUS deployments with Active Directory is maintained at http://deployingradius.com/documents/configuration/active_directory.html.

2. Active Directory support using LDAP bind-as-user

If you do not wish to use Samba or your organisation forbids the use of it, you can use the LDAP bind-as-user method.

For more information on this method, see using LDAP to connect to a directory, but you will be need a low-privileged user with read/browse access to Active Directory instead.

3. Using the FreeRADIUS users flat file together with Active Directory

After connecting your FreeRADIUS server to Active Directory, you may wish to use a test user that is defined in the FreeRADIUS users flat file.

To use this functionality you must:

  1. Add the user to /etc/raddb/users (or /etc/freeradius/users). The entry is in the following format:

    username<tab>[Authorisation item], [Authorisation item], ...
<tab><tab>[Reply item], [Reply item], ...

  2. In addition to the password, you must add the MS-CHAP-Use-NTLM-Auth attribute as an authorisation item to the top line. It is a flag that indicates to FreeRADIUS whether authentication to ActiveDirectory should be used and it is set to 1 by default. Set this to zero. 

    A sample user entry

    moonshot	Cleartext-Password := "testing1234", MS-CHAP-Use-NTLM-Auth := 0
			Reply-Message = "You have successfully authenticated with Moonshot",
			User-Name = 'moonshot'