I have changed from %Ldap-UserDN to %{Ldap-UserDN} but still not able to login from my cisco switch.
The logs are as following :- rad_recv: Access-Request packet from host 172.17.3.210 port 1645, id=184, length=82 NAS-IP-Address = 172.17.3.210 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "vijay.singh" Calling-Station-Id = "172.17.27.9" User-Password = "Password" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "vijay.singh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] Entering ldap_groupcmp() [files] expand: OU=Servers,dc=kochar,dc=com -> OU=Servers,dc=kochar,dc=com [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] ... expanding second conditional [files] expand: %{User-Name} -> vijay.singh [files] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=vijay.singh)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.17.3.223:389, authentication 0 [ldap] bind as CN=ADS Admin,OU=Servers,DC=kochar,DC=com/Password to 172.17.3.223:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter (&(sAMAccountName=vijay.singh)) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter (&(cn=CiscoAdminLr)(|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Vijay Singh,OU=Servers,DC=kochar,DC=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for vijay.singh [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> vijay.singh [ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=vijay.singh)) [ldap] expand: OU=Servers,dc=kochar,dc=com -> OU=Servers,dc=kochar,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter (&(sAMAccountName=vijay.singh)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user vijay.singh authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "vijay.singh" with password "Password" [ldap] user DN: CN=Vijay Singh,OU=Servers,DC=kochar,DC=com [ldap] (re)connect to 172.17.3.223:389, authentication 1 [ldap] bind as CN=Vijay Singh,OU=Servers,DC=kochar,DC=com/Password to 172.17.3.223:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user vijay.singh authenticated succesfully ++[ldap] returns ok expand: Host %n% -> Host 172.17.3.210% Login OK: [vijay.singh] (from client Kipl Asr Network port 1 cli 172.17.27.9) Host 172.17.3.210% # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 184 to 172.17.3.210 port 1645 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 184 with timestamp +14 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Not-working-properly-tp4593327p4593489.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html