Messages

You can bind to LDAP via Freeradius plugin, should work fine

What do you mean by that? I have installed Freeradius plugin and bound it to my AD but it only accepts plain passwords and Windows desktops sends NT-Hash of password.
I will try to do what Kofl suggested - use Windows RADIUS server.

I think that the only way to do this at the moment is to use certificate authentication. I don`t have CA set up at the moment in my AD infrastructure so I can`t test this out.

Is it possible to authenticate Windows client machine on IPsec VPN against Active Directory?
I tried this by setting up FreeRADIUS on my OPNsense but it`s not working. What I googled is that my FreeRADIUS expects cleartext password while my Windows machine is sending NThash. It seems that for this to work, I would also need to install samaba and join my OPNsense box to AD (I don't wand to go that way). Anyone tested similar setup?