You broke the server and authentication fails - not a suprise. If the server cannot discover the source/type of auth then you need to give it a hint - users file will feed that hint . I think you dont need the unix module
--- original message --- From: "Michael Phillips" <mdphi...@hotmail.com> Subject: RE: need help authenticating against AD Date: 20th November 2009 Time: 4:25:56 I followed the directions in that link prior to emailing the group. For some reason, it still isn't working as expected. If I put this line at the top of the users file, VPN users and Cisco exec users are able to authenticate with their AD account. DEFAULT Auth-Type = ntlm_auth This is the debug output from a successful auth: rad_recv: Access-Request packet from host w.x.y.z port 1645, id=33, length=86 User-Name = "mphillips" User-Password = "xxxx" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "w.x.y.z" NAS-IP-Address = w.x.y.z +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "mphillips", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = ntlm_auth +- entering group ntlm_auth {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=mphillips [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxx Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok Login OK: [mphillips] (from client Access-Layer-Switch1 port 1 cli w.x.y.z) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 33 to w.x.y.z port 1645 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 33 with timestamp +16 Ready to process requests. Technically, this is all I need; this seems like a hacked way of doing things, though and I want to understand the operations of the server better. I commented out the pap and unix modules in ../sites-enabled/inner-tunnel and default and I also removed the DEFAULT line from the top of the users file. Now I get this debug output: rad_recv: Access-Request packet from host w.x.y.z port 1645, id=34, length=86 User-Name = "mphillips" User-Password = "xxxx" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "w.x.y.z" NAS-IP-Address = w.x.y.z +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "mphillips", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [mphillips/xxxx] (from client Access-Layer-Switch1 port 1 cli w.x.y.z) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> mphillips attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 34 to 10.200.1.4 port 1645 Waking up in 4.6 seconds. Cleaning up request 0 ID 34 with timestamp +12 Ready to process requests. Thanks for any assistance. -Mike > Date: Thu, 19 Nov 2009 22:30:50 +0000 > Subject: Re: need help authenticating against AD > From: t...@kalik.net > To: freeradius-users@lists.freeradius.org > > > I need some help authenticating against AD. I have followed directions > > online as best as I can, but things still aren't working as expected. > > These: > > http://deployingradius.com/documents/configuration/active_directory.html > > > I'm > > ultimately hoping to have our VPN users and admins logging into Cisco > > network equipment authenticate against AD through our FreeRADIUS 2 > > installation. Today, I have been testing authentication from one of Cisco > > switches, and I continually receive this basic output: > > You are not authenticating against AD. You are authenticating against > local system file: > ... > > Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated > ... > > Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password "xxxx" > > Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption. > > Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match > > ... and the password isn't correct. > > > I can't tell from this output if the RADIUS server is ever even attempting > > to reach AD. > > It isn't. > > > Obviously, if I enter the correct password for my username on > > the RADIUS server itself, authentication will succeed, but this is not the > > desired behavior at this time. > > Comment out unix in authorize then. If you follow the guide this will work > with Auth-Type := ntlm_auth in users file. > > Ivan Kalik > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ Hotmail: Trusted email with Microsoft's powerful SPAM protection. Sign up now.<http://clk.atdmt.com/GBL/go/177141664/direct/01/ http://clk.atdmt.com/GBL/go/177141664/direct/01/>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html