I authenticate VPN users where the VPN Server authenticates against a
LDAP server and FreeRadius 2.1.8 on CentOS. That generally, works
fine. I'm using a user account to authenticate the radius server
against AD for the queries.
What's odd is tho the other user accounts work, I can't authenticate
with that actual user account (even though it's in the same Security
group). Multiple other users in the security group VPN_Users work.
What seems (to me) to be odd in particular is I see
ue Aug 24 16:41:57 2010 : Info: ++? if (Huntgroup-Name == "VPN_Huntgroup")
Tue Aug 24 16:41:57 2010 : Info: ? Evaluating (Huntgroup-Name ==
"VPN_Huntgroup") -> TRUE
Tue Aug 24 16:41:57 2010 : Info: ++? if (Huntgroup-Name ==
"VPN_Huntgroup") -> TRUE
Tue Aug 24 16:41:57 2010 : Info: ++- entering if (Huntgroup-Name ==
"VPN_Huntgroup") {...}
Tue Aug 24 16:41:57 2010 : Info: +++? if (Ldap-Group == "VPN_Users")
Tue Aug 24 16:41:57 2010 : Debug: [ldap] Entering ldap_groupcmp()
which makes me think it sees the user _sonicwall in the VPN_Users
group, but then I get:
Tue Aug 24 16:41:57 2010 : Debug: rlm_ldap::ldap_groupcmp:
ldap_get_values() failed
Tue Aug 24 16:41:57 2010 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 24 16:41:57 2010 : Info: ? Evaluating (Ldap-Group ==
"VPN_Users") -> FALSE
Tue Aug 24 16:41:57 2010 : Info: +++? if (Ldap-Group == "VPN_Users") -> FALSE
Any insights appreciated.
Thanks
Rick
Full output below.
rad_recv: Access-Request packet from host 10.4.1.241 port 1196,
id=26, length=126
User-Name = "_sonicwall"
MS-CHAP-Challenge = 0x780006c8503fee2cdf1d2505fe99f322
MS-CHAP2-Response =
0x01002f06ff27350f7121396d65349fc61ca9675d0094d1b342dc5f172dc60bd9fd258fb94fc68aac5ff6
NAS-IP-Address = 10.4.1.241
NAS-Port = 0
Tue Aug 24 16:41:57 2010 : Info: server server_vpn {
Tue Aug 24 16:41:57 2010 : Info: +- entering group authorize {...}
Tue Aug 24 16:41:57 2010 : Info: ++[preprocess] returns ok
Tue Aug 24 16:41:57 2010 : Info: [mschap] Found MS-CHAP
attributes. Setting 'Auth-Type = mschap'
Tue Aug 24 16:41:57 2010 : Info: ++[mschap] returns ok
Tue Aug 24 16:41:57 2010 : Debug: [ldap] Entering ldap_groupcmp()
Tue Aug 24 16:41:57 2010 : Info: [files]expand:
OU=Enterprise,DC=int,DC=invtitle,DC=com ->
OU=Enterprise,DC=int,DC=invtitle,DC=com
Tue Aug 24 16:41:57 2010 : Info: [files]expand:
%{Stripped-User-Name} ->
Tue Aug 24 16:41:57 2010 : Info: [files]... expanding second
conditional
Tue Aug 24 16:41:57 2010 : Info: [files]expand: %{User-Name}
-> _sonicwall
Tue Aug 24 16:41:57 2010 : Info: [files]expand:
(&(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=person))
-> (&(sAMAccountname=_sonicwall)(objectClass=person))
Tue Aug 24 16:41:57 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 24 16:41:57 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 24 16:41:57 2010 : Debug: [ldap] performing search in
OU=Enterprise,DC=int,DC=invtitle,DC=com, with filter
(&(sAMAccountname=_sonicwall)(objectClass=person))
Tue Aug 24 16:41:57 2010 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 24 16:41:57 2010 : Info: [files]expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=CN\3d_sonicwall\2cOU\3dService
Accounts\2cOU\3dSpecial User
Accounts\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dinvtitle\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3d_sonicwall\2cOU\3dService
Accounts\2cOU\3dSpecial User
Accounts\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dinvtitle\2cDC\3dcom)))
Tue Aug 24 16:41:57 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 24 16:41:57 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 24 16:41:57 2010 : Debug: [ldap] performing search in
OU=Enterprise,DC=int,DC=invtitle,DC=com, with filter
(&(cn=VPN_Users)(|(&(objectClass=GroupOfNames)(member=CN\3d_sonicwall\2cOU\3dService
Accounts\2cOU\3dSpecial User
Accounts\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dinvtitle\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3d_sonicwall\2cOU\3dService
Accounts\2cOU\3dSpecial User
Accounts\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dinvtitle\2cDC\3dcom
Tue Aug 24 16:41:57 2010 : Debug: [ldap] object not found
Tue Aug 24 16:41:57 2010 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 24 16:41:57 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 24 16:41:57 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 24 16:41:57 2010 : Debug: [ldap] performing search in
CN=_sonicwall,OU=Service Accounts,OU=Special User
Accounts,OU=Enterprise,DC=int,DC=invtitle,DC=com, with filter (objectclass=*)
Tue Aug 24 16:41:57 2010 : Debug: rlm_ldap::ldap_groupcmp:
ldap_get_values() failed
Tue Aug 24 16:41:57 2010 : Debug: [ldap] ldap_release_conn: Release Id: