RADIUS authentication against LDAP or Active Directory

August 25th, 2015 by bostjan

This is a short guide on how to do a setup-and-forget for RADIUS authentication against LDAP or Active Directory services.

Software installation

Since I had previous success with CentOS 6 and radius server (small time investment into setup and configuration, it worked since then without any noticeable hiccup), that is what will also be used for this occasion.

Install basic RADIUS packages:

Install LDAP driver:

This is the diff of changes to /etc/raddb configuration files that was performed, in order to get authentication against LDAP working:

Short summary, what you need to do:

  • configure connection to LDAP server (bind credentials, search filter)
  • enable LDAP authentication and authorization
  • define client that is allowed to use this radius service

Start the RADIUS service daemon:

And that is it.

Test your new service

You can use this oneliner to check whether authentication against LDAP server via RADIUS service actually works. This is how you do it:

Output of successful authentication attempt looks like this:

Look for “Access-Accept” message, as it signifies successful authentication.

Enable radius service start at boot

You will sleep better if you do not forget to do this, so here is the command:)

4 Responses to “RADIUS authentication against LDAP or Active Directory”

  1. jbsky says:


    Le patch me semble incomplet et mal encodé.
    + filter = “(& (&(objectclass=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})) (use

  2. bostjan says:

    @jbsky: Thank you for noticing this and letting me know! Fixed.

  3. Anders Sandblad says:

    The filter line still seems broken?
    + filter = “(& (&(objectclass=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})) (use


  4. bostjan says:

    Thanks @Anders.
    I have no idea now what should come after that “(use” part, since the post is a bit dated.

    However, since it is just a filter, I removed that part and it should (in theory) still work.

Leave a Reply