Hi Fajar,
Thanks so much for replying.
The debug log for local test against AD is attached:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 35067, id=16, length=61
User-Name = "uldaptest"
User-Password = "usk.173n!"
NAS-IP-Address = 192.148.223.54
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/127.0.0.1/auth-detail-20111129
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20111129
[auth_log] expand: %t -> Tue Nov 29 07:54:47 2011
++[auth_log] returns ok
[suffix] No '@' in User-Name = "uldaptest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for uldaptest
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) ->
(&(sAMAccountName=uldaptest))
[ldap] expand: dc=acu,dc=edu,dc=au -> dc=acu,dc=edu,dc=au
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to acustaff.acu.edu.au:3268, authentication 0
rlm_ldap: bind as cn=Radauth,cn=Users,dc=acustaff,dc=acu,dc=edu,dc=au/9yRD1133
to acustaff.acu.edu.au:3268
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=acu,dc=edu,dc=au, with filter
(&(sAMAccountName=uldaptest))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user uldaptest authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "uldaptest" with password "usk.173n!"
[ldap] user DN: CN=Unilinc ldaptest,OU=System Accounts,OU=Generic
Accounts,DC=acustaff,DC=acu,DC=edu,DC=au
rlm_ldap: (re)connect to acustaff.acu.edu.au:3268, authentication 1
rlm_ldap: bind as CN=Unilinc ldaptest,OU=System Accounts,OU=Generic
Accounts,DC=acustaff,DC=acu,DC=edu,DC=au/usk.173n! to acustaff.acu.edu.au:3268
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user uldaptest authenticated succesfully
++[ldap] returns ok
expand: Host %n -> Host 192.148.223.54
Login OK: [uldaptest] (from client localhost port 0) Host 192.148.223.54
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 16 to 127.0.0.1 port 35067
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 16 with timestamp +4
Ready to process requests.
And the reply:
[root@panvpufreeradi1 ~]# radtest uldaptest usk.173n! localhost 0 testing123
Sending Access-Request of id 16 to 127.0.0.1 port 1812
User-Name = "uldaptest"
User-Password = "usk.173n!"
NAS-IP-Address = 192.148.223.54
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=16, length=20
On the AD, the user is configured, any extra setting that I need to do on AD
which Iam not aware about??
I got a question for you?? If only using for WPA, do I also need to configure
samba and use nltm_auth, since this radius device will be used by ipad,
netbooks etc etc etc....
Here is the configure for default and inner-tunnel without the comments, I may
have done something wrong here:
default
----------------------
authorize {
preprocess
auth_log
suffix
eap {
ok = return
}
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
#eap
}
------------
Inner tunnel
---------------------
server inner-tunnel {
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
eap
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
---------------------
I greatly appreciate your feedback. Do advise if you need to view other config
files.
Thanks
Vikash
-----Original Message-----
From: freeradius-users-bounces+vikash.gounder=acu.edu...@lists.freeradius.org
[mailto:freeradius-users-bounces+vikash.gounder=acu.edu...@lists.freeradius.org]
On Behalf Of Fajar A. Nugraha
Sent: Monday, 28 November 2011 4:44 PM
To: FreeRadius users mailing list
Subject: Re: Free radius authentication with AD using ldap
On Mon, Nov 28, 2011 at 12:29 PM, Vikashgounder <vikash.goun...@acu.edu.au>
wrote:
> From the local radtest I can see, it is authenticating fine but when
> testing
... and where is the debug log for that?
> with a wpa device, this is the error m getting on the debug log:
It's quite informative, actually:
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
If you use AD as ldap, the user password is not accessible in any ldap
attribute. Thus you normally have to use ntlm_auth. See
- http://deployingradius.com/documents/configuration/active_directory.html
- http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
(old version, but some of it might be still relevant)
Some other thing to check:
- Are you setting Auth-Type manually? You shouldn't need to
- If you REALLY have radtest working, then it's usually a matter of making sure
configuration in sites-available/default (the one used if you use PAP directly,
e.g. with radtest) is also in sites-available/inner-tunnel (the one used to
handle AAA inside EAP tunnel, like when you use EAP-PEAP-MSCHAPv2)
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
