Hi Fajar, Thanks so much for replying.
The debug log for local test against AD is attached: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 35067, id=16, length=61 User-Name = "uldaptest" User-Password = "usk.173n!" NAS-IP-Address = 192.148.223.54 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20111129 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20111129 [auth_log] expand: %t -> Tue Nov 29 07:54:47 2011 ++[auth_log] returns ok [suffix] No '@' in User-Name = "uldaptest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for uldaptest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=uldaptest)) [ldap] expand: dc=acu,dc=edu,dc=au -> dc=acu,dc=edu,dc=au rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to acustaff.acu.edu.au:3268, authentication 0 rlm_ldap: bind as cn=Radauth,cn=Users,dc=acustaff,dc=acu,dc=edu,dc=au/9yRD1133 to acustaff.acu.edu.au:3268 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=acu,dc=edu,dc=au, with filter (&(sAMAccountName=uldaptest)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user uldaptest authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by "uldaptest" with password "usk.173n!" [ldap] user DN: CN=Unilinc ldaptest,OU=System Accounts,OU=Generic Accounts,DC=acustaff,DC=acu,DC=edu,DC=au rlm_ldap: (re)connect to acustaff.acu.edu.au:3268, authentication 1 rlm_ldap: bind as CN=Unilinc ldaptest,OU=System Accounts,OU=Generic Accounts,DC=acustaff,DC=acu,DC=edu,DC=au/usk.173n! to acustaff.acu.edu.au:3268 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful [ldap] user uldaptest authenticated succesfully ++[ldap] returns ok expand: Host %n -> Host 192.148.223.54 Login OK: [uldaptest] (from client localhost port 0) Host 192.148.223.54 +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 16 to 127.0.0.1 port 35067 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 16 with timestamp +4 Ready to process requests. And the reply: [root@panvpufreeradi1 ~]# radtest uldaptest usk.173n! localhost 0 testing123 Sending Access-Request of id 16 to 127.0.0.1 port 1812 User-Name = "uldaptest" User-Password = "usk.173n!" NAS-IP-Address = 192.148.223.54 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=16, length=20 On the AD, the user is configured, any extra setting that I need to do on AD which Iam not aware about?? I got a question for you?? If only using for WPA, do I also need to configure samba and use nltm_auth, since this radius device will be used by ipad, netbooks etc etc etc.... Here is the configure for default and inner-tunnel without the comments, I may have done something wrong here: default ---------------------- authorize { preprocess auth_log suffix eap { ok = return } ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { #eap } ------------ Inner tunnel --------------------- server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } } # inner-tunnel server block --------------------- I greatly appreciate your feedback. Do advise if you need to view other config files. Thanks Vikash -----Original Message----- From: freeradius-users-bounces+vikash.gounder=acu.edu...@lists.freeradius.org [mailto:freeradius-users-bounces+vikash.gounder=acu.edu...@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Monday, 28 November 2011 4:44 PM To: FreeRadius users mailing list Subject: Re: Free radius authentication with AD using ldap On Mon, Nov 28, 2011 at 12:29 PM, Vikashgounder <vikash.goun...@acu.edu.au> wrote: > From the local radtest I can see, it is authenticating fine but when > testing ... and where is the debug log for that? > with a wpa device, this is the error m getting on the debug log: It's quite informative, actually: [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? If you use AD as ldap, the user password is not accessible in any ldap attribute. Thus you normally have to use ntlm_auth. See - http://deployingradius.com/documents/configuration/active_directory.html - http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (old version, but some of it might be still relevant) Some other thing to check: - Are you setting Auth-Type manually? You shouldn't need to - If you REALLY have radtest working, then it's usually a matter of making sure configuration in sites-available/default (the one used if you use PAP directly, e.g. with radtest) is also in sites-available/inner-tunnel (the one used to handle AAA inside EAP tunnel, like when you use EAP-PEAP-MSCHAPv2) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html