How to Integrate FreeRADIUS with Active Directory [Step-by-Step]


Author: Nurten Dogan
Reviewer: Deepak Prasad

FreeRADIUS: Active Directory Integration and PEAP-MschapV2 with Dynamic Vlan Assignment

We will setup authentication and authorization for a wireless network that can be used for a large organization, ensuring network users are able to securely authenticate to the network. Here's what you'll need:

  • A FreeRADIUS Server
  • A Domain Controller
  • A Wireless Controller
  • An Access Point (AP)
  • Some Clients with Different Operating System

The clients will be classified depend on device type (Android, iPhone, Windows) and assigned to different vlans after being authenticated. We will use Protected Extensible Authentication Protocol (PEAP) with Mschapv2. My network topology will look like below.

How to Integrate FreeRADIUS with Active Directory [Step-by-Step]


Following table shows the device type and the vlans they will be assigned.

Device Type VLAN
Android vlan 100
iPhone vlan 101
Windows vlan 102


Integrate FreeRADIUS with Active Directory

Mschapv2 is a challenge-response based authentication protocol. Since it does not support sending client credentials in complete clear text, we will not be able to use LDAP database in Active Directory for authentication. There can be a workaround but, we will not cover that scenario in this article. Instead, we will use Active Directory integration which supports Mschapv2 authentication. We will use Samba server ant it’s utilities to join the Active Directory.

Followings steps show Samba installation and the other required tools.

Step-1: A fully qualified domain name (FQDN) must be defined. Open "/etc/hosts" file in your preferred text editor and add localhost IP address, FQDN and hostname respectively as below.

root@freeradius:/home/celal# nano /etc/hosts

My configuration is below.

How to Integrate FreeRADIUS with Active Directory [Step-by-Step]


Step-2: Verify the hostname and FQDN with the commands below.

root@freeradius:/home/celal# hostname

root@freeradius:/home/celal# hostname -f


Step-3: Update package information from all the configured sources.

root@freeradius:/home/celal# apt-get update


Step-4: Install the required packages with the command below.

root@freeradius:/home/celal# apt-get install samba winbind libnss-winbind krb5-user

During the installation, the window below will appear. Enter your domain name and click "OK".

How to Integrate FreeRADIUS with Active Directory [Step-by-Step]


Enter your Domain Controllers FQDN. If you have more than one, then separate them with a space.

How to Integrate FreeRADIUS with Active Directory [Step-by-Step]


Enter the administrative server FQDN and click "OK".

How to Integrate FreeRADIUS with Active Directory [Step-by-Step]


Step-5: After the installation, we need to configure Samba server. Open "/etc/samba/smb.conf" file with your preferred text editor and modify it the way it suits you. Mine is below.

root@freeradius:/home/celal# nano /etc/samba/smb.conf
    workgroup = MYDOMAIN
    security = ads
    winbind use default domain = yes
    realm = MYDOMAIN.COM
    password server =


Step-6: Although we configured Kerberos in step 4, we need to add more config. Open "/etc/krb5.conf" and modify it as below.

root@freeradius:/home/celal# nano  /etc/krb5.conf
        default_realm = MYDOMAIN.COM

        MYDOMAIN.COM = {
                kdc =
                kdc =
                admin_server =

[domain_realm] = MYDOMAIN.COM = MYDOMAIN.COM


Step-7: Now that we have installed and configured Samba server and Kerberos authentication, we need to join the Active Directory. Remember that when you join a windows client to an Active Directory, you must have an administrator account. Before joining the Active Directory, you provide your credentials. For Ubuntu, we will use "kinit" tool to obtain and cache Kerberos ticket-granting ticket then join the AD.

root@freeradius:/home/celal# kinit Administrator
Password for Administrator@MYDOMAIN.COM:

Following output shows Kerberos obtaining ticket-granting ticket in packet level.

How to Integrate FreeRADIUS with Active Directory [Step-by-Step]

Join the Active Directory with command below.

root@freeradius:/home/celal# net ads -k join

Following figure shows joining the Active Directory in the packet level.

How to Integrate FreeRADIUS with Active Directory [Step-by-Step]


Step-8: Restart the services as below.

root@freeradius:/home/celal# service smbd restart
root@freeradius:/home/celal# service nmbd restart
root@freeradius:/home/celal# service winbind restart


Step-9: At this point, we have joined the Active Directory and will confirm if New Technology LAN Manager (NTLM) authentication works. FreeRADIUS uses "ntlm_auth" tool to allow external access to Winbind's NTLM authentication function. Apply the command below to confirm if NTLM authentication works.

root@freeradius:/home/celal# ntlm_auth --request-nt-key --username=administrator --password=mypassword
NT_STATUS_OK: The operation completed successfully. (0x0)


When the authentication is successful, it returns 0 (zero). Following screenshot shows that the ntlm authentication has made over Remote Procedure Call (RPC), which is a Microsoft proprietary protocol.

How to Integrate FreeRADIUS with Active Directory [Step-by-Step]


Configure FreeRADIUS

I assume that you have already installed FreeRADIUS. If not, please visit here (FreeRADIUS Installing and Configuring (Part 1)).

Step-1: The "default" virtual server contains too much settings. Thus, I will remove it and create my own simple server.

root@freeradius:/home/celal# rm /etc/freeradius/3.0/sites-enabled/default


Step-2: My Aruba testing wireless controller are able to classify a client based on its Operating System. It sends device type in an "Access-Request" packet, using "Aruba-Device-Type" vendor specific attribute. After authenticating the user, I use this attribute to distinguish the clients from each other, then I assign them the vlan accordingly with "post-auth" block. FreeRADIUS comes with many vendor specific dictionaries. They are stored in "/usr/share/freeradius/" directory. If there is currently no dictionary for your vendor, you can create a new one in the directory. Change the configuration below to suit your needs.

root@freeradius:/home/celal# nano /etc/freeradius/3.0/sites-enabled/my_server

server my_server {

        listen {
        ipaddr = *
        port = 1812
        type = auth

        authorize {

        authenticate {
        Auth-Type MS-CHAP {


post-auth {
if (Aruba-Device-Type == "Android") {
        update reply {
                Reply-Message := "you are an Android"
                Tunnel-Type = 13,
                Tunnel-Medium-Type = 6,
                Tunnel-Private-Group-Id = "100"
if (Aruba-Device-Type == "iPhone") {
        update reply {
                Reply-Message := "you are an iPhone"
                Tunnel-Type = 13,
                Tunnel-Medium-Type = 6,
                Tunnel-Private-Group-Id = "101"
if (Aruba-Device-Type == "Win 10") {
        update reply {
                Reply-Message := "you are a windows"
                Tunnel-Type = 13,
                Tunnel-Medium-Type = 6,
                Tunnel-Private-Group-Id = "102"

Step-3: Define a RADIUS client in "/etc/freeradius/3.0/clients.conf" file.

client Wireless_Controller {
                ipaddr =
                secret = celaldogan


Step-4: Change "default_eap_type" to "peap". Some legacy clients may not support TLS version 1.2, so make the changes as you need. I commented out (disabled) some settings, and modified the TLS min and max values. Open "eap" module and follow below.

root@freeradius:/home/celal# nano /etc/freeradius/3.0/mods-available/eap
eap {
default_eap_type = peap
tls-config tls-common {
	#               disable_tlsv1_1 = yes
	#               disable_tlsv1 = yes
	tls_min_version = "1.0"
                tls_max_version = "1.2"

Step-5: Open "mschap" module and configure it as below. FreeRADIUS will use an external program called "ntlm_auth" to authenticate the users.

nano /etc/freeradius/3.0/mods-available/mschap
mschap {

use_mppe = yes
require_encryption = yes
require_strong = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

Step-6: Add "freerad" user to "winbindd_priv" group which will be able to reach "winbind" program.

root@freeradius:/home/celal#  usermod -a -G winbindd_priv freerad
root@freeradius:/home/celal#  chown root:winbindd_priv /var/lib/samba/winbindd_privileged/


Testing PEAP-MschapV2 with an Android device

I will connect my Service Set Identifier (SSID) using an Android device. During the authentication, I captured RADIUS packets between the wireless controller and FreeRADIUS. Because of most of packets are encrypted with TLS, I will omit them. Here is below the "Access-Request" packet.

How to Integrate FreeRADIUS with Active Directory [Step-by-Step]


As you see in the screenshot above, the wireless controller sends "Aruba-Device-Type" vendor specific attribute with value of "Android". After authentication, this attribute will be used in the policy to decide to which vlan a user will be assigned. Following shows the last RADIUS packet (Access-Accept).

How to Integrate FreeRADIUS with Active Directory [Step-by-Step]


The FreeRADIUS server insert vlan information (in this case vlan 100), Wi-Fi Protected Access (WPA) encryption and decryption keys into the "Access-Accept" packet. The wireless controller receives the packet and apply the policy accordingly, then it conveys the encryption and decryption keys to the Access Point (AP).


Final thoughts

FreeRADIUS can be integrated into many systems. Active Directory is just one of them. With a simple configuration, you can have a RADIUS integrated into Active Directory.


Views: 1,996
Nurten Dogan

Nurten Dogan

He is proficient in System Administration, Python, Computer Network, Network Engineering, PHP, Web Testing, Penetration Testing, Wireshark, RADIUS, Cisco Router, TCP/IP, Kali Linux, OSPF, NPS, and Multiprotocol BGP. You can connect with him on his LinkedIn Profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to

Thank You for your support!!

10 thoughts on “How to Integrate FreeRADIUS with Active Directory [Step-by-Step]”

  1. If I want Users from AD a member of group A can connect to Wi-Fi signal name Wi-Fi-A only and users which members of group B, can connect to Wi-Fi named Wi-Fi-B only.

    How to do that?

    • Hello, i’m wanting to achieve the same thing.

      Did you found a solution to get to this result ?
      If yes, please tell me how you managed to do it.

      Grégory BERTINI

  2. Hi,

    I need to this config guest support. Add to end file /etc/freeradius/3.0/users endtry:

    bob123 Cleartext-Password := “hello123”

    But nod work – can Tou help me?:)


  3. How can I tell Freeradius to send to the user a static IP address when authenticating against Active Directory ?


Leave a Comment