FreeRADIUS with Active Directory backend

[exu]

EDIT: I decided to use the Windows Radius role as suggested here: https://forum.opnsense.org/index.php?topic=41472.msg222357#msg222357

Hello community

I'm trying to set up FreeRADIUS with the LDAP backend to Active Directory.
Radius in turn is configured on the Unifi access points.

I can authenticate without issue using a local test user. However, authenticating with any Active Directory user does not work.

I'm getting this errror message:

Code Select Expand

Auth: (14) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [mfi/<via Auth-Type = eap>] (from client Unifi APs port 0 via TLS tunnel)
EAP Settings

Code Select Expand

EAP Type: MSCHAPv2
Curve: prime256v1
Own Certs: no
Root Cert: none
Server Cert: Default
CRL: none
Check TLS CN: no
TLS min. Ver: 1.2

LDAP Settings

Code Select Expand

Inner Tunnel: yes
Protocol: LDAP
Srv. Port: empty (default)
Cert: none
Start TLS: no
Bind User: <my admin CN>
Bind PW: <my pw>
Base DN: <AD DN>
User Filter:  (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
Group Filter: empty

On the client side (Android) I tried these combinations:
PEAP + MS-CHAP v2
TTLS + MS-CHAP
TTLS + MS-CHAP v2

The one working combination I found (TTLS + PAP) is not ideal, as Passwords within the TLS connection are sent in plain text.

Based on my research, the ntlm_auth utility and its supporting packages from Samba are not missing for this functionality.
https://github.com/opnsense/plugins/issues/2834
https://github.com/opnsense/plugins/issues/3126
https://ask.linuxmuster.net/t/opnsense-freeradius-fehler-ueber-eap/6074/5 (German)

Has anyone managed to include the relevant files to get FreeRADIUS fully working?

Samba does have an up to date port on FreeBSD, so it should theoretically be possible to add the files. I don't have the makefile skils required unfortunately.
https://www.freshports.org/net/samba419