Hi, I’m trying to set up Freeradius to use the LDAP module for the authorization and process authentication with MSCHAPv2. My goal is to assign vlans from some Organizational Units in AD. I wanted to use into the users files the argument “huntgroups” because it could check OU. Last time I tried MSCHAPv2 for both autz and auth with “ntlm_auth … --require-membership-of” but I could get only 2 vlans (depending is the user is in the group or not). So my question is it possible? And if yes, how to do that? Thanks,
My files configuration files : - sites-enabled/default & inner-tunnel authorize { Autz-Type LDAP { ldap } .. ldap } authenticate { .. #Auth-Type LDAP { # ldap #} } - users DEFAULT Autz-Type := LDAP, Auth-Type := MSCHAP - eap.conf eap { default_eap_type = peap .. } peap { default_eap_type = mschapv2 .. } - modules/ldap ldap { server = "test.fr" identity = "cn=bindradius,cn=Users,dc=test,dc=fr" password = bindradius basedn = "cn=Users,dc=test,dc=fr" filter = "(samaccountname=%{User-Name})" .. } password_attribute = userPassword --------------------------------------------------------------------------------- Freeradius server log : --------------------------------------------------------------------------------- Wed Feb 18 11:11:28 2009 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 1024, id=7, length=202 Framed-MTU = 1480 NAS-IP-Address = 192.168.1.1 NAS-Identifier = "SWiTCH" User-Name = "philippe" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-13-21-a8-24-40" Calling-Station-Id = "00-15-c5-06-84-d8" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "4" EAP-Message = 0x0201000d017068696c69707065 Message-Authenticator = 0x5270b68813d479cb9e13dbb933792913 Wed Feb 18 11:11:39 2009 : Info: +- entering group authorize {...} Wed Feb 18 11:11:39 2009 : Info: ++[preprocess] returns ok Wed Feb 18 11:11:39 2009 : Info: ++[chap] returns noop Wed Feb 18 11:11:39 2009 : Info: ++[mschap] returns noop Wed Feb 18 11:11:39 2009 : Info: [suffix] No '@' in User-Name = "philippe", looking up realm NULL Wed Feb 18 11:11:39 2009 : Info: [suffix] No such realm "NULL" Wed Feb 18 11:11:39 2009 : Info: ++[suffix] returns noop Wed Feb 18 11:11:39 2009 : Info: [eap] EAP packet type response id 1 length 13 Wed Feb 18 11:11:39 2009 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Feb 18 11:11:39 2009 : Info: ++[eap] returns updated Wed Feb 18 11:11:39 2009 : Info: ++[unix] returns notfound Wed Feb 18 11:11:39 2009 : Info: [files] users: Matched entry DEFAULT at line 1 Wed Feb 18 11:11:39 2009 : Info: ++[files] returns ok Wed Feb 18 11:11:39 2009 : Info: [ldap] performing user authorization for philippe Wed Feb 18 11:11:39 2009 : Info: [ldap] expand: (samaccountname=%{User-Name}) -> (samaccountname=philippe) Wed Feb 18 11:11:39 2009 : Info: [ldap] expand: cn=Users,dc=test,dc=fr -> cn=Users,dc=test,dc=fr Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: attempting LDAP reconnection Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: (re)connect to test.fr:389, authentication 0 Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: bind as cn=bindradius,cn=Users,dc=test,dc=fr/bindradius to test.fr:389 Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: waiting for bind result ... Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: Bind was successful Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: performing search in cn=Users,dc=test,dc=fr, with filter (samaccountname=philippe) Wed Feb 18 11:11:39 2009 : Info: [ldap] looking for check items in directory... Wed Feb 18 11:11:39 2009 : Info: [ldap] looking for reply items in directory... Wed Feb 18 11:11:39 2009 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Wed Feb 18 11:11:39 2009 : Info: [ldap] user philippe authorized to use remote access Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Feb 18 11:11:39 2009 : Info: ++[ldap] returns ok Wed Feb 18 11:11:39 2009 : Info: ++[expiration] returns noop Wed Feb 18 11:11:39 2009 : Info: ++[logintime] returns noop Wed Feb 18 11:11:39 2009 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Feb 18 11:11:39 2009 : Info: ++[pap] returns noop Wed Feb 18 11:11:39 2009 : Info: Using Autz-Type LDAP Wed Feb 18 11:11:39 2009 : Info: +- entering group LDAP {...} Wed Feb 18 11:11:39 2009 : Info: [ldap] performing user authorization for philippe Wed Feb 18 11:11:39 2009 : Info: [ldap] expand: (samaccountname=%{User-Name}) -> (samaccountname=philippe) Wed Feb 18 11:11:39 2009 : Info: [ldap] expand: cn=Users,dc=test,dc=fr -> cn=Users,dc=test,dc=fr Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: performing search in cn=Users,dc=test,dc=fr, with filter (samaccountname=philippe) Wed Feb 18 11:11:39 2009 : Info: [ldap] looking for check items in directory... Wed Feb 18 11:11:39 2009 : Info: [ldap] looking for reply items in directory... Wed Feb 18 11:11:39 2009 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Wed Feb 18 11:11:39 2009 : Info: [ldap] user philippe authorized to use remote access Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Feb 18 11:11:39 2009 : Info: ++[ldap] returns ok Wed Feb 18 11:11:39 2009 : Info: Found Auth-Type = MSCHAP Wed Feb 18 11:11:39 2009 : Info: +- entering group MS-CHAP {...} Wed Feb 18 11:11:39 2009 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Wed Feb 18 11:11:39 2009 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password. Wed Feb 18 11:11:39 2009 : Info: [mschap] No MS-CHAP-Challenge in the request Wed Feb 18 11:11:39 2009 : Info: ++[mschap] returns reject Wed Feb 18 11:11:39 2009 : Info: Failed to authenticate the user. Wed Feb 18 11:11:39 2009 : Info: Using Post-Auth-Type Reject Wed Feb 18 11:11:39 2009 : Info: +- entering group REJECT {...} Wed Feb 18 11:11:39 2009 : Info: [attr_filter.access_reject] expand: %{User-Name} -> philippe Wed Feb 18 11:11:39 2009 : Debug: attr_filter: Matched entry DEFAULT at line 11 Wed Feb 18 11:11:39 2009 : Info: ++[attr_filter.access_reject] returns updated Wed Feb 18 11:11:39 2009 : Info: Delaying reject of request 0 for 1 seconds Wed Feb 18 11:11:39 2009 : Debug: Going to the next request Wed Feb 18 11:11:39 2009 : Debug: Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1024, id=7, length=202 Wed Feb 18 11:11:40 2009 : Info: Waiting to send Access-Reject to client 192.168.1.1 port 1024 - ID: 7 Wed Feb 18 11:11:40 2009 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 7 to 192.168.1.1 port 1024 Wed Feb 18 11:11:40 2009 : Debug: Waking up in 4.9 seconds. Wed Feb 18 11:11:45 2009 : Info: Cleaning up request 0 ID 7 with timestamp +11 Wed Feb 18 11:11:45 2009 : Debug: Ready to process requests. -- View this message in context: http://www.nabble.com/Autz-type-LDAP%2C-Auth-Type-MSCHAP-possible---%28for-vlan-assignment%29-tp22076072p22076072.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html