It could be. Can you post your whole users file or is that line the only one there? Also, what would it look like in active directory showing that a user is the member of that group? You have to make sure you are doing the correct ldap search to active directory to find that a user is a member of a group.
On Thu, 11 Mar 2004, Albers Darren wrote: > Dustin Doris, > > Thank you for the help! Here is the information. > > I have the following group attributes set under LDAP in my radius.conf: > groupname_attribute = Router_Admins > groupmembership_filter = > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO > fUniqueNames)(uniquemember=%{Ldap-UserDn})))" > groupmembership_attribute = Router_Admins > > Could it be that I do not have the groupmembership filter set correctly and > Radiusd cannot verify the group membership permission? > > This is what I have set in my users file: > > DEFAULT Ldap-Group == Router_admins, User-Profile := > "CN=Router_Admins,CN=Users,DC=wp,DC=wpstv,DC=com" > Fall-Through = no > > Here is an output of my Radiusd -X > > [EMAIL PROTECTED] root]# radiusd -X > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /etc/raddb/proxy.conf > Config: including file: /etc/raddb/clients.conf > Config: including file: /etc/raddb/snmp.conf > Config: including file: /etc/raddb/sql.conf > main: prefix = "/usr" > main: localstatedir = "/var" > main: logdir = "/var/log/radius" > main: libdir = "/usr/lib" > main: radacctdir = "/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/var/log/radius/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/var/run/radiusd/radiusd.pid" > main: user = "radiusd" > main: group = "radiusd" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = yes > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > Using deprecated naslist file. Support for this will go away soon. > read_config_files: reading clients > Using deprecated clients file. Support for this will go away soon. > read_config_files: reading realms > Using deprecated realms file. Support for this will go away soon. > radiusd: entering modules setup > Module: Library search path is /usr/lib > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = no > mschap: require_strong = no > mschap: passwd = "(null)" > mschap: authtype = "MS-CHAP" > Module: Instantiated mschap (mschap) > Module: Loaded LDAP > ldap: server = "mydc.XXXXXX.com" > ldap: port = 389 > ldap: net_timeout = 1 > ldap: timeout = 4 > ldap: timelimit = 3 > ldap: identity = "CN=freeradius,CN=Users,DC=XXX,DC=XXXXX,DC=com" > ldap: start_tls = no > ldap: password = "XXXXX" > ldap: basedn = "DC=XXX,DC=XXXX,DC=com" > ldap: filter = "(sAMAccountName=%u)" > ldap: default_profile = "DC=XXXX,DC=XXXXX,DC=com" > ldap: profile_attribute = "Router_Admins" > ldap: password_header = "(null)" > ldap: password_attribute = "userPassword" > ldap: access_attr = "(null)" > ldap: groupname_attribute = "Router_Admins" > ldap: groupmembership_filter = > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO > fUniqueNames)(uniquemember=%{Ldap-UserD n})))" > ldap: groupmembership_attribute = "Router_Admins" > ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" > ldap: ldap_debug = 40 > ldap: ldap_connections_number = 5 > ldap: compare_check_items = yes > ldap: access_attr_used_for_allow = yes > conns: (nil) > rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap > rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ > rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ > rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type > rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use > rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id > rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id > rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password > rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password > rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT > rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration > rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type > rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol > rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address > rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask > rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route > rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing > rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id > rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU > rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression > rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host > rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service > rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port > rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number > rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id > rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network > rlm_ldap: LDAP radiusClass mapped to RADIUS Class > rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout > rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout > rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action > rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service > rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node > rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group > rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS > Framed-AppleTalk-Link > rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS > Framed-AppleTalk-Network > rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS > Framed-AppleTalk-Zone > rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit > rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port > conns: 0x9336288 > Module: Instantiated ldap (ldap) > Module: Loaded preprocess > preprocess: huntgroups = "/etc/raddb/huntgroups" > preprocess: hints = "/etc/raddb/hints" > preprocess: with_ascend_hack = no > preprocess: ascend_channels_per_line = 23 > preprocess: with_ntdomain_hack = no > preprocess: with_specialix_jetstream_hack = no > preprocess: with_cisco_vsa_hack = no > Module: Instantiated preprocess (preprocess) > Module: Loaded realm > realm: format = "suffix" > realm: delimiter = "@" > Module: Instantiated realm (suffix) > Module: Loaded files > files: usersfile = "/etc/raddb/users" > files: acctusersfile = "/etc/raddb/acct_users" > files: preproxy_usersfile = "/etc/raddb/preproxy_users" > files: compat = "no" > Module: Instantiated files (files) > Module: Loaded Acct-Unique-Session-Id > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, > Client-IP-Address, NAS-Port-Id" > Module: Instantiated acct_unique (acct_unique) > Module: Loaded detail > detail: detailfile = > "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" > detail: detailperm = 384 > detail: dirperm = 493 > detail: locking = no > Module: Instantiated detail (detail) > Module: Loaded radutmp > radutmp: filename = "/var/log/radius/radutmp" > radutmp: username = "%{User-Name}" > radutmp: case_sensitive = yes > radutmp: check_with_nas = yes > radutmp: perm = 384 > radutmp: callerid = yes > Module: Instantiated radutmp (radutmp) > Module: Loaded eap > eap: default_eap_type = "md5" > eap: timer_expire = 60 > rlm_eap: Loaded and initialized the type md5 > rlm_eap: Loaded and initialized the type leap > Module: Instantiated eap (eap) > Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on > 1814/udp. > Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1:43633, id=9, length=59 > User-Name = "dpatest" > User-Password = "password" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1812 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "chap" returns noop > rlm_ldap: - authorize > rlm_ldap: performing user authorization for dpatest > radius_xlat: '(sAMAccountName=dpatest)' > radius_xlat: 'DC=XXXX,DC=XXXXXX,DC=com' > ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to mydc.XXXXX.com:389, authentication 0 > rlm_ldap: bind as CN=freeradius,CN=Users,DC=XXX,DC=XXX,DC=XXXX/XXXXX to > mydc.XXXXX.com:389 > rlm_ldap: waiting for bind result ... > request 1 done > rlm_ldap: performing search in DC=XXXX,DC=XXXX,DC=com, with filter > (sAMAccountName=dpatest) > request 2 done > rlm_ldap: performing search in DC=XXXX,DC=XXXXX,DC=com, with filter > (objectclass=radiusprofile) > request 3 done > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: default_profile/user-profile search failed > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user dpatest authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group Auth-Type > rlm_ldap: - authenticate > rlm_ldap: login attempt by "dpatest" with password "password" > rlm_ldap: user DN: CN=dpatest,CN=Users,DC=XXXXX,DC=XXXXX,DC=com > rlm_ldap: (re)connect to mydc.XXXXX.com:389, authentication 1 > rlm_ldap: bind as CN=dpatest,CN=Users,DC=XXXXX,DC=XXXXX,DC=com/password to > mydc.XXXX.com:389 > rlm_ldap: waiting for bind result ... > request 1 done > rlm_ldap: user dpatest authenticated succesfully > modcall[authenticate]: module "ldap" returns ok > modcall: group Auth-Type returns ok > Sending Access-Accept of id 9 to 127.0.0.1:43633 > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > > [EMAIL PROTECTED] root]# > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf > > Of Dustin > > Doris > > Sent: Thursday, March 11, 2004 12:00 PM > > To: '[EMAIL PROTECTED]' > > Subject: Re: Active Directory Group Authentication > > > > > > On Thu, 11 Mar 2004, Albers Darren wrote: > > > > > Hello all, > > > > > > I am attempting to use FreeRadius to authenticate based on > > a group in active > > > directory. I have it performing authentication using LDAP against > > > Active-Directory fine, but I would like to restrict it > > based on group > > > membership. From what I can determine I should use the > > users file to enable > > > group authentication but I don't seem to have that done correctly. > > > > > > After reading the archives I read a great page: > > http://doris.name/radius/ > > > that I think explains how to do what I want to do but > > whenever I add the > > > following to users: > > > DEFAULT Ldap-Group == My_group, Auth-Type := reject > > > Reply-Message = "Account disabled. Please call the > > helpdesk." > > > > > > it doesn't seem to matter who logs in, as long as they have > > a valid Active > > > Directory account and the password is the correct they are > > allowed in. > > > After searching through the archives again I still am at a > > loss, I am > > > obviously missing something but I am not sure what. Can > > someone point me in > > > the right direction? > > > > > > Thank you! > > > > > > Darren > > > > > > > How do you have the groupmembership part of ldap in > > radiusd.conf setup? > > > > Also, can you post an example radiusd -X output? > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > ********************************************************************** > The information and any files contained in this e-mail message are property of > WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only for > use of the individual or entity named above. If the reader of this message is not > the intended recipient, or the employee or agent responsible to deliver it to the > intended recipient, you hereby are notified that use, dissemination, distribution or > copying of this information is strictly prohibited. If you have received this > communication in error, please immediately notify us by return e-mail and destroy > the original message. Thank you. > ********************************************************************** > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html