FreeRADIUS fully supports the MSCHAPv2 protocol used for Active Directory authentication and deployments of FreeRADIUS with Active Directory are extremely popular.
1. Active Directory support using SAMBA
To fully support Active Directory authentication, FreeRADIUS requires the use of Samba in general, and
winbind in particular.
The definitive guide for FreeRADIUS deployments with Active Directory is maintained at http://deployingradius.com/documents/configuration/active_directory.html.
2. Active Directory support using LDAP bind-as-user
If you do not wish to use Samba or your organisation forbids the use of it, you can use the LDAP bind-as-user method.
For more information on this method, see using LDAP to connect to a directory, but you will be need a low-privileged user with read/browse access to Active Directory instead.
3. Using the FreeRADIUS users flat file together with Active Directory
After connecting your FreeRADIUS server to Active Directory, you may wish to use a test user that is defined in the FreeRADIUS users flat file.
To use this functionality you must:
Add the user to
/etc/freeradius/users). The entry is in the following format:
In addition to the password, you must add the
MS-CHAP-Use-NTLM-Authattribute as an authorisation item to the top line. It is a flag that indicates to FreeRADIUS whether authentication to ActiveDirectory should be used and it is set to 1 by default. Set this to zero.
A sample user entry