How to install and configure FreeRADIUS with Active Directory allow specific group of users to authenticate in Debian 10

serval years ago,I built freeradius server in centos 6 work with active directory. It works perfect with wifi authortication and ikev2 vpn authortication. But recently days, I found a bug that the radius server can not limit user access to a group in AD. So I’m trying to build a new freeradius server in debian 10. After a week work.At last I figure it out.

Install Software and configuration

First thing first, We need install a debian 10 server on your virtualization platform. currently, I installed a debian server on proxmox ve platform.

Basic Information

Name Value

Change Debian settings

  • Change hostname
hostnamectl set-hostname myradius
  • Sync NTP time with domain controller Install chrony
apt purge ntp
apt install -y  chrony
vi /etc/chrony/chrony.conf
#comment out `pool xxx iburst
server <ip_of_dc01> iburst
server <ip_of_dc02> iburst

restart chrony service and force update times

systemctl restart chrony
chronyc sources

Install samba and winbind and let Debian Host joined domain

  • Install samba,winbind,krb5-user
apt update && apt -y dist-ugprade
apt install -y samba winbind krb5-user
apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules
  • config samba config file
vi /etc/samba/smb.conf

In [global] section, change settings form

## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
  workgroup = WORKGROUP


## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of

   workgroup = TESTING
   realm = TESTING.LOCAL
   security = ads
   idmap config * : backend =tdb
   idmap config * : range = 3000-7999
   idmap config testing : backend = rid
   idmap config testing : range = 10000-999999
   winbind use default domain = true
   winbind offline logon = false
  • Modify /etc/nsswitch.conf
 vi /etc/nsswitch.conf

Change settings:

passwd:         files systemd 
group:          files systemd 


passwd:         files systemd winbind
group:          files systemd winbind
  • Modify /etc/krb5.conf
       kdc = MYDC02.TESTING.LOCAL
       kdc = MYDC03.TESTING.LOCAL
       admin_server = TESTING.LOCAL
       default_domain = TESTING.LOCAL
   .testing.local = TESTING.LOCAL
   testing.local = TESTING.LOCAL
  • Restart OS

  • Join domain

    #net join -U mypoweruser
    net ads join -U Administrator
    Enter Administrator's password:
    Using short domain name -- TESTING
    Joined 'SMB' to dns domain ''
    No DNS domain configured for smb. Unable to perform DNS Update.
  • Restart samba and winbind service

    systemctl restart smbd winbind
  • Testing samba AD authentication:

    • Using winbind:
    systemctl restart winbind
    wbinfo -a <user>%<password>

    You will get the following message if everything is correct:

    plaintext password authentication succeeded
    challenge/response password authentication succeeded
    • Using ntlm_auth:
    ntlm_auth --request-nt-key --domain=TESTING --username=<user> --password=<password>

    Then you will got success message:

    NT_STATUS_OK: Success (0x0)

Install freeradius

  • Install freeradius

    apt install -y freeradius
  • Grant permission for freerad user on winbind’s socket:

    sudo usermod -a -G winbindd_priv freerad
    sudo chgrp winbindd_priv /var/lib/samba/winbindd_privileged/
  • Change MACHAP to use ntlm_auth:

    vi /etc/freeradius/3.0/mods-available/ntlm_auth


    program = "/usr/bin/ntlm_auth --request-nt-key --domain=TESTING --username=%{mschap:User-Name} --password=%{User-Password}"
    #if you want to limted to a specific domain group please modified as this:
    program = "/usr/bin/ntlm_auth --request-nt-key --domain=$DOMAINNAME  --require-membership-of='$DOMAINNAME\$DOMAIN_GROUP'  --username=%{mschap:User-Name} --password=%{User-Password}"
  • Change module mschap :

    vi /etc/freeradius/3.0/mods-available/mschap
    mschap { 
        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=TESTING --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
  • Change eap config.

    vi /etc/freeradius/3.0/mods-available/eap

    Change settings of default_eap_type.

    eap {
        default_eap_type = md5


    eap {
        default_eap_type = mschapv2

    Then restart freeradius service

    systemctl restart freeradius
  • Change /etc/freeradius/3.0/sites-enabled/default and /etc/freeradius/3.0/sites-enabled/inner-tunnel

    authenticate {
  • Configure RADIUS client

    vi /etc/freeradius/3.0/clients.conf
    client {
       secret  = myauthpassword
       shortname = "nas access"
  • restart service of freeradius

    systemctl restart freeradius

    Test FreeRADIUS and MSCHAP:

radtest -t mschap <user> <password> localhost 0 testing123

The results will be like:

Sent Access-Request Id 9 from to length 134
       User-Name = "user"
       MS-CHAP-Password = "password"
       NAS-IP-Address =
       NAS-Port = 0
       Message-Authenticator = 0x00
       Cleartext-Password = "password"
       MS-CHAP-Challenge = 0x163bc4c900360a08
       MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000382764ceb05312077d21d71bf53ce917ef2e72a4ff83ca96
Received Access-Accept Id 9 from to length 84
       MS-CHAP-MPPE-Keys = 0x000000000000000065c53b0540ab884edc6779a1f370c0cb
       MS-MPPE-Encryption-Policy = Encryption-Allowed
       MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

Configure freeradius-ldap Auth with AD

To limited to auth a AD group, we need to config freeradius auth with ldap.

  • Install freeradius-ldap
apt install -y freeradius-ldap

Edit config

  • edit /etc/freeradius/3.0/mods-available/ldap
vi /etc/freeradius/3.0/mods-available/ldap
ldap {
    server = 'dc01.mydomain.local'
    server = 'dc02.mydomain.local'
    port = 389
    identity = 'aduser@mydomain.local'
    password = <mypassword>
    base_dn = 'dc=mydomain,dc=local'
    update {
       control:Password-With-Header    += 'userPassword'
       control:NT-Password     := 'ntPassword'
       reply:Reply-Message     := 'radiusReplyMessage'
       reply:Tunnel-Type       := 'radiusTunnelType'
       reply:Tunnel-Medium-Type    := 'radiusTunnelMediumType'
       reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivategroupId'

        #  Where only a list is specified as the RADIUS attribute,
        #  the value of the LDAP attribute is parsed as a valuepair
        #  in the same format as the 'valuepair_attribute' (above).
        control:            += 'radiusControlAttribute'
        request:            += 'radiusRequestAttribute'
        reply:              += 'radiusReplyAttribute'
edir = no
user {
    base_dn = "${..base_dn}"
    filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"    
  • create a link to mode-enable
ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/
  • edit /etc/freeradius/3.0/sites-available/default
vi /etc/freeradius/3.0/sites-available/default
authorize {
   if ((ok || updated) && User-Password) {
       update {
           control:Auth-Type := ldap
authenticate {
       Auth-Type LDAP {
  • Restart freeradius service
systemctl restart freeradius
freeradius -fX

testing ldap auth

radtest <domain_accout> <password> localhost 0 testing123
  • Change /etc/freeradius/3.0/users to allow specific group VPN_GROUP of users to authenticate
vi /etc/freeradius/3.0/users
DEFAULT Auth-Type = ntlm_auth, LDAP-Group == "VPN_GROUP"
DEFAULT Group != "VPN_GROUP", Auth-Type := Reject
        Reply-Message = "Your are not permit to access VPN Connectiong"
  • Change MACHAP to use ntlm_auth:
vi /etc/freeradius/3.0/mods-available/ntlm_auth


#if you want to limted to a specific domain group please modified as this:
program = "/usr/bin/ntlm_auth --request-nt-key --domain=$DOMAINNAME  --require-membership-of='$DOMAINNAME\$DOMAIN_GROUP'  --username=%{mschap:User-Name} --password=%{User-Password}"

Install mysql,daloradius to make management freeradius with web access

  • Install mariadb database
apt install -y mariadb-server

Renew certficiation

We purchased godaddy certification, so we will replace ssl certification

  • backup default eap configure file

    cp /etc/freeradius/3.0/mods-enabled/eap /etc/freeradius/3.0/mods-enabled/eap.backup
  • Place pem file to /etc/freeradius/3.0/certs/mycerts

    ls -al /etc/freeradius/3.0/certs/mycerts

-rw-r–r– 1 root root 1728 Feb 21 11:11 mycerts-ca.pem -rw-r–r– 1 root root 1704 Feb 21 11:09 mycerts.key -rw-r–r– 1 root root 2248 Feb 21 11:13 mycerts.pem

- Convert crt to pem

openssl x509 -in mycert-ca.crt -out mycert-ca.pem -outform PEM
  • Modified /etc/freeradius/3.0/mods-enabled/eap file.

      tls-config tls-common {
          #private_key_password = whatever
          private_key_file = /etc/freeradius/3.0/certs/

… certificate_file = /etc/freeradius/3.0/certs/ … ca-file = /etc/freeradius/3.0/certs/

- Restart freeradius service.

systemctl restart freeradius


  1. WPA2 Enterprise with FreeRADIUS and AD integration on Ubuntu16.04
  2. 调试freeradius 3.0 与microsoft AD通过LDAP认证的笔记
  3. Configure FreeRADIUS with Active Driectory allow specific group of users to authenticate
  4. Join in Windows Active Directory Domain with Samba Winbind.
  5. 802.1x PEAP mschapv2认证证书问题
  6. How to convert .crt to .pem [duplicate]