Does anyone have a working radiusd.conf and users file I could see as I
have been unsuccessful configuring
Freeradius 1.0.1 to talk to my Active Directory.
When I try to test with radtest I get the following:
[EMAIL PROTECTED] freeradius-1.0.4]# radtest "ken george" "xxxxxx"
localhost 1 testing123
Sending Access-Request of id 105 to 127.0.0.1:1812
User-Name = "ken george"
User-Password = "xxxxxx"
NAS-IP-Address = phllnxsrv01
NAS-Port = 1
Re-sending Access-Request of id 105 to 127.0.0.1:1812
User-Name = "ken george"
User-Password = "\030\035`\222\375Q\267\301\357\270O\352\335Kj3"
NAS-IP-Address = phllnxsrv01
NAS-Port = 1
Re-sending Access-Request of id 105 to 127.0.0.1:1812
User-Name = "ken george"
User-Password = "\030\035`\222\375Q\267\301\357\270O\352\335Kj3"
NAS-IP-Address = phllnxsrv01
NAS-Port = 1
Is my radtest string correct?
Exerpts from radiusd.conf and users follow:
Radiusd.conf
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = "phldcsrv01.us.mi-services.net"
identity = "cn=ken george,o=US
Users,c=us.mi-services.net"
password = 262144
basedn = "o=phldcsrv01,c=us.mi-services.net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case
insensitive
#
# password_header = "{clear}"
#
# The server can usually figure this out on its own,
and pull
# the correct User-Password or NT-Password from the
database.
#
# Note that NT-Passwords MUST be stored as a 32-digit
hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
(output suppressed)
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the
request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been
set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type :=
MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
eap
#
# Read the 'users' file
files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
# sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
LDAP
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#
# Allow EAP authentication.
eap
}
Users file
DEFAULT Ldap-Group = Administrators, Auth-Type = LDAP
Fall-through = yes
Thanks!
Ken George
Systems and Network Engineering
Mi Services Group, Inc.
+1 610-230-2500 x129
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
