Ok using these settings it seems to authenticate with radtest > Radius.conf > ldap { > server = "domcon.company.org" > basedn = "dc=company,dc=org" > filter = > "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" > password_attribute = "userPassword" > identity = "cn=administrator,cn=Users,dc=company,dc=org" > password = password
[EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret Sending Access-Request of id 201 to 127.0.0.1:1812 User-Name = "user" User-Password = "userpass" NAS-IP-Address = redguard.company.net NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=201, length=20 And the output of radius -X -A shows rlm_ldap: - authorize rlm_ldap: performing user authorization for tporritt radius_xlat: '(sAMAccountName=tporritt)' radius_xlat: 'dc=gtdsolutions,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=gtdsolutions,dc=org, with filter (sAMAccountName=tporritt) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tporritt authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "tporritt" with password "pantera" rlm_ldap: user DN: CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org rlm_ldap: (re)connect to gtds-domcon.gtdsolutions.org:389, authentication 1 rlm_ldap: bind as CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to gtds-domcon.gtdsolutions.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tporritt authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 201 to 127.0.0.1:32770 Finished request 1 These two look to me like they authenticated the user successfully. I have l2tp handling authentication which puts it to pppd In /etc/ppp/options.l2tpd I have # added for radius auth with radius refuse-chap refuse-mschap require-mschap-v2 require-mppe lcp-echo-failure 30 lcp-echo-interval 5 plugin radius.so Is it possible that this will work? I tried using ntlm_auth with no luck from pppd as it gave me Aug 18 10:13:56 redguard pppd[2260]: WINBIND plugin initialized. Aug 18 10:13:56 redguard pppd[2260]: In file /etc/ppp/options.l2tpd: unrecognized option '--helper-protocol=ntlm-server-1' The line I had was # winbind auth plugin winbind.so ntlm_auth-helper /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 Just looking for a way (and preferably and example) of the authentication vs AD since I don't seem to understand how to do it. I have looked in radius.conf and enabled the ntlm authentication but it seems to insist upon using chap and not mschap-v2, is there a difference? It still complains about the "no cleartext password" an example would be greatly apprecated! Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html