Thanks Dusty. That's very helpful. I have one little problem. I was hoping someone can shed some light on it.
For the Active Directory security, I need to specify the username as "Domain\user" instead of just "user" for the identity in radiusd.conf "[EMAIL PROTECTED]" doesn't seem to work. Here is the output: rad_recv: Access-Request packet from host 192.168.42.1:50667, id=146, length=57 User-Name = "user" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "apuye", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for apuye radius_xlat: '(uid=apuye)' radius_xlat: 'dc=ad,dc=puyenet,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to orion.puyenet.com:389, authentication 0 rlm_ldap: bind as [EMAIL PROTECTED],ou=users,dc=ad,dc=puyenet,dc=com/password to orion.puyenet.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 4 modcall: group authorize returns fail for request 4 Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 146 with timestamp 4388ab87 Nothing to do. Sleeping until we see a request. The radiusd.conf file looks like this for the ldap section: ldap { server = "orion.puyenet.com" # identity = "cn=admin,o=My Org,c=UA" identity = "[EMAIL PROTECTED],ou=users,dc=ad,dc=puyenet,dc=com" password = password #basedn = "o=My Org,c=UA" basedn = "dc=ad,dc=puyenet,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" Thanks in advance. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Dusty Doris > >Sent: November 25, 2005 9:43 AM > >To: FreeRadius users mailing list > >Subject: RE: Freeradius How to integrate Active > >Directory[ADIntegrationWindowsXP NTLM Tutorial] > > > > > >> So, the question again is if the VPN Concentrator is only sending > >> username and password, do I need ntml_auth or ms-chap? FreeRADIUS > >> doesn't have any usernames and password and will query Active > >> Directory for the actual authentication. > >> > >> Thanks, > >> > > > >If the packet is merely containing plaintext username and > >password, then you can probably just use rlm_ldap against AD > >and hit it directly. Just need to setup a user with read > >access to the directory to do the initial bind with and > >search of the user for authorization. Then the user will be > >authenticated by doing a bind against AD with the > >username/password in the packet. > > > >BTW - I use freeradius w/ ldap for cisco VPN concentrators > >as well, although its openldap instead of AD. To pass back > >the class attribute, you must modify ldap.attrmap and > >specify the reply item of Class to match what you call it in > >the directory. > > > >eg: > > > >replyItem Class radiusClass > > > >Then in the directory, you have > > > >dn: cn=someuser,... > >... > >radiusClass: "OU=myvpngroup;" > > > >So, for AD, you'll need to extend the schema and add an > >attribute for this. Or if you already have something that > >you can use, just modify ldap.attrmap to know what it is. > > > >-Dusty Doris > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html