Packetfence: authenticate using mschapv2 with OpenLDAP

Packetfence is an Open Source Network Access Control server. It is open, free, and very advanced.
On the other hand, it has been quite a challenge for me to set it up. They also provide a virtual machine based ZEN, which stand for Zero Effort NAC, but I chose to install it manually on Debian.

Based on Freeradius, it should be able to integrate easily with Microsoft Active Directory for dot1x, but again, I chose to not use AD, but OpenLDAP. This part has been difficult, since it is not that well documented.


Enable LDAP auth source

Setting up an LDAP Authentication Source on the web gui is not enought. You’ll also need to manually enter your LDAP connection settings in /usr/local/raddb/mods-available/ldap (this step is well documented on the above mentioned link), and create a soft link to /usr/local/raddb/mods-enabled:

cd /usr/local/pf/raddb
ln -s mods-available/ldap mods-enabled/ldap

Next, you’ll need to “activate” LDAP as an authorization source. Edit /usr/local/pf/conf/radiusd/packetfence-tunnel and uncomment “-ldap” in the authorization section:

# The ldap module reads passwords from the LDAP database.

Just below that line, you’ll need to add these lines:

update control {
    MS-CHAP-Use-NTLM-Auth := No

Without “MS-CHAP-Use-NTLM-Auth := No”, Freeradius will use the ntlm_auth module, which is needed for Active Directory (as far as I know) and does not work for OpenLDAP.

Restart radius:

service packetfence-radiusd-auth restart

Use plain-text passwords in OpenLDAP

This may sound unsecure, but it is a requirement for Freeradius to work with OpenLDAP. I highly recommend to use ldaps instead of plain ldap, and if you use any gui such as phpldapadmin, you’ll also want to set up https.


Create a new connection profile

As a last step, you need to create a new connection profile under Configuration > Policies and Access Control > Connection Profiles.

The new profile should contain one or more dot1x related filters, I used “Connection Type : Ethernet-EAP” and “Connection Type: Wireless-802.11-EAP”.



raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
tail -f /usr/local/pf/logs/radius.log



  • Packetfence doc
  • freeradius mailing list


4 Replies to “Packetfence: authenticate using mschapv2 with OpenLDAP”

  1. i am wondering if this will work for ad/ldap without ntlm authentication (on my network ntlm auth on ad is disabled by nps). will write back after testing

  2. hi bro thanks for your tutorial.
    do you have configuration for divided some users from openLDAP which bandwidth management using captive portal on packetfence?

    i’ve search on installation guide and asking on github inverse but no one is answer.
    hopefully you will answer my question.

    thank you



      1. Hi Fijs.

        Ok sure, how about using RADIUS with OpenLDAP?
        Is it must configured of Realm?
        But it can’t be pairing with any domain right since it must using AD for attach that domain?

        Any suggest?




Leave a Reply

Your email address will not be published.