Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Authenticate Cisco Router using Active Directory through FreeRADIUS.

Hi all,

Happy new year 2017 for everyone!!

We have a FreeRADIUS V3 running on Ubuntu server. Server installed and configured with Integration to
Active Directory, running Server 2008. Our Freeradius allows connection of AD users with MAC , Ubuntu,
And Win Desktop, to login the WIFI (Cisco OS) using AD Accounts.

I need to configure our FreeRadius on all Switches & Routers so that login will be carried out via
The AD account,instead local user. In same way that users connect today to the Cisco Wireless. 

I went through a lot of guides and tutorials, and it just refuse to work. 

I enclose the findings I have gathered so far from FreeRADIUS:
* When running “wbinfo -u | grep user” I'm able to get the AD User.

* Running of : "ntlm_auth --request-nt-key --domain=MY.ACTUAL.DOMAIN --username=username" 
Return :  Password: NT_STATUS_OK: Success (0x0)

* When adding the Cisco 2960 switch to clients file with user&password in cleartext, I’m able to login to switch successfully.

* Running radtest check against AD user i.e: “radtest AD_User passwd 1812 secretkey”
Return “Expected Access-Accept got Access-Reject” 

* When running FreeRadius in debug via freeradius -X and attempting login Cisco,
Below errors that recorded to the log screen:

- ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
- mschap: ERROR: MS-CHAP2-Response is incorrect
- MS-CHAP-Error = "\010E=691 R=1 C=06969570e488834b8cefb2ec3e748b81 V=3 M=Authentication failed"
- ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
-  pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type

- pap: WARNING: Authentication will fail unless a "known good" password is available


At this point , really ran out the ideas. What I'm missing, on which configuration file,
And what need to add / change, to make it work.

I greatly appreciate any help here guys. 

Content for Community-Ad