InkBridge Networks - A new name for Network RADIUS

How to connect FreeRADIUS to Active Directory for authentication

Some password formats just don't play well with others

Active Directory is widely used in the enterprise and university systems. This article describes how to connect FreeRADIUS with Active Directory, allowing you to authenticate users against your existing directory service while leveraging the power of your RADIUS server for network access control.


Understanding the limitations of FreeRADIUS with Active Directory


When FreeRADIUS uses Active Directory as a user database, certain limitations apply. Active Directory won’t give FreeRADIUS the “known good password" for FreeRADIUS to use. Instead, FreeRADIUS has to take the user credentials (PAP, MS-CHAP, etc.) and hand them to Active Directory. It will check the information, and return success / fail to FreeRADIUS.


For MS-CHAP authentication, the way to connect FreeRADIUS to Active Directory is through Samba, and the ntlm_auth helper program. Note that in this configuration, we are using Active Directory as an authentication oracle, and not as an LDAP database.

If FreeRADIUS gets a PAP password (clear-text), it can just use LDAP “bind as user” to connect to the AD server, and check if the password is correct.

Configuring Samba and Active Directory

Using ntlm_auth for PAP authentication may not work on recent versions of Samba and Active Directory. If so, just skip to the next section.

Once Samba has been installed on your system, you should edit the smb.conf file, and configure the [global] section to point to your NT server, including hostname and NT domain:

# workgroup = NT-Domain-Name
   workgroup = MYDOMAIN
...
# Security mode. Most people will want user level security. See
# security_level.txt for details.
   security = ads
# Use password server option only with security = server
   password server = nt-server-hostname.company.com
...
   realm = realm.company.com

For Samba 4, you also have to set the ntlm auth configuration variable. It should be set to either yes, or to mschapv2-and-ntlmv2-only. This configuration needs to be set on all participating Samba members, and also on (Samba4) AD-DC servers.

ntlm auth = mschapv2-and-ntlmv2-only
...

You may also have to edit the /etc/krb5.conf file, to add an entry that points to the Active Directory Server. This is often not necessary, as Samba can just “figure it out” when Active Directory is also the main DNS server.

[realms]
...
realm.company.com = {
        kdc = nt-server-hostname.company.com/
    }
...

Start the Samba and Kerberos servers, and as root join the domain:

$ net join -U Administrator

Enter the administrator password at the prompt.

Next, verify that a user in the domain can be authenticated:

wbinfo -a user%password

You should see a number of lines of text, followed by authentication succeeding. The next step is to try the same login with the ntlm_auth program, which is what FreeRADIUS will be using:

ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password

If all goes well, you should see authentication succeeding (NT_STATUS_OK). You may also see the NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication.

Configuring FreeRADIUS to use ntlm_auth

Once you have verified that Samba is installed and working correctly, and that the ntlm_auth program works, you can proceed with configuring FreeRADIUS to use ntlm_auth. For initial testing, we will be using the exec module, and will run the exact command line used above.

Create or edit the ntlm_auth module configuration. In version 2, this file should be saved as raddb/modules/ntlm_auth. In version 3, it should be saved as raddb/mods-enabled/ntlm_auth. The contents of the file are below, with the fields to edit in bold.

exec ntlm_auth {
    wait = yes
    program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}

This configuration tells the server to run the ntlm_auth program with the user name and password obtained from the Access-Request. You will also have to list ntlm_auth in the authenticate sections of each the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file:

authenticate {
    ...
    ntlm_auth
    ...
}

and add the following text for testing purposes only to the top of the users file. In version 3, the “users” file has moved to raddb/mods-config/files/authorize.

DEFAULT   Auth-Type = ntlm_auth

This configuration says “for all users, if the authenticate method has not been set, set it to use the ntlm_auth program”.

Start the server using radiusd -X, and wait for the debugging text to stop scrolling by. If all goes well, you should see the following text:

Ready to process requests.

In another terminal window on the same machine, type the following command:

$ radtest user password localhost 0 testing123

If all goes well, you should see the server returning an Access-Accept message, and the window with radtest should print text similar to the following:

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, length=20

This text means that authentication succeeded. A few lines above this text, the debug output will also show the exact command line used to run ntlm_auth .

Configuring FreeRADIUS to use ntlm_auth for MS-CHAP

Once you have the previous steps working, configuring FreeRADIUS with Active Directory for MS-CHAP is simple. First, delete the testing entry used above from the users file, as leaving it in will break other authentication types. Then, find the mschap module in raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default, and should be uncommented, and edited to be as follows. As before, update the fields in bold to match your local configuration.

ntlm_auth = "/path/to/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

Start the server and use radtest to send an MS-CHAP authentication request. You will need to have version 2.1.10 or later for this to work:

$ radtest -t mschap bob hello localhost 0 testing123

If everything goes well, you should see the server returning an Access-Accept message as above.

Troubleshooting

If it doesn't work, double-check the password you entered on the supplicant against the password in Active Directory. If it still does not work, it might be a bug in Samba. Change your version of Samba, either by installing a fixed version, or by repeatedly down-grading it (and testing) until it works.

If it does not work, then it is possible to test authentication with just the ntlm_auth command-line. Look at the FreeRADIUS debug output, and see the arguments passed to ntlm_auth. Copy and paste them to a command-line, and then use that command line for testing. This limited test is often simpler and faster than running a complex test with a full RADIUS server. When this limited test passes, then authentication with FreeRADIUS will work, too.

Samba documentation

The Samba project also has a wiki page for configuring FreeRADIUS against Active Directory.


This guide should help you connect FreeRADIUS to Active Directory so you can authenticate users against your existing user accounts while maintaining control over network resources and user access through your RADIUS clients.


Need more help?


InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here

Related Articles

RADIUS protocol and password compatibility

In order for RADIUS authentication to work, user passwords need to be stored in a format that is understood by the authentication protocol used by the client. Unfortunately, not all protocols work with all password storage formats. This can be especially problematic with platforms that use proprietary formats or protocols.

How to set up a wireless RADIUS server for secure Wi-Fi authentication

When setting up a Wi-Fi network at home, you typically set up an SSID and password, accept the defaults for any other options, and be done with it. (In some cases, these are done for you by your service provider — you don’t even have to think.) You share the password with family and visitors, and everyone is happy.