Dustin Doris,
Thank you for the help! Here is the information.
I have the following group attributes set under LDAP in my radius.conf:
groupname_attribute = Router_Admins
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = Router_Admins
Could it be that I do not have the groupmembership filter set correctly and
Radiusd cannot verify the group membership permission?
This is what I have set in my users file:
DEFAULT Ldap-Group == Router_admins, User-Profile :=
"CN=Router_Admins,CN=Users,DC=wp,DC=wpstv,DC=com"
Fall-Through = no
Here is an output of my Radiusd -X
[EMAIL PROTECTED] root]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = "mydc.XXXXXX.com"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "CN=freeradius,CN=Users,DC=XXX,DC=XXXXX,DC=com"
ldap: start_tls = no
ldap: password = "XXXXX"
ldap: basedn = "DC=XXX,DC=XXXX,DC=com"
ldap: filter = "(sAMAccountName=%u)"
ldap: default_profile = "DC=XXXX,DC=XXXXX,DC=com"
ldap: profile_attribute = "Router_Admins"
ldap: password_header = "(null)"
ldap: password_attribute = "userPassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "Router_Admins"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserD n})))"
ldap: groupmembership_attribute = "Router_Admins"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 40
ldap: ldap_connections_number = 5
ldap: compare_check_items = yes
ldap: access_attr_used_for_allow = yes
conns: (nil)
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x9336288
Module: Instantiated ldap (ldap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:43633, id=9, length=59
User-Name = "dpatest"
User-Password = "password"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dpatest
radius_xlat: '(sAMAccountName=dpatest)'
radius_xlat: 'DC=XXXX,DC=XXXXXX,DC=com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to mydc.XXXXX.com:389, authentication 0
rlm_ldap: bind as CN=freeradius,CN=Users,DC=XXX,DC=XXX,DC=XXXX/XXXXX to
mydc.XXXXX.com:389
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: performing search in DC=XXXX,DC=XXXX,DC=com, with filter
(sAMAccountName=dpatest)
request 2 done
rlm_ldap: performing search in DC=XXXX,DC=XXXXX,DC=com, with filter
(objectclass=radiusprofile)
request 3 done
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: default_profile/user-profile search failed
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user dpatest authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type
rlm_ldap: - authenticate
rlm_ldap: login attempt by "dpatest" with password "password"
rlm_ldap: user DN: CN=dpatest,CN=Users,DC=XXXXX,DC=XXXXX,DC=com
rlm_ldap: (re)connect to mydc.XXXXX.com:389, authentication 1
rlm_ldap: bind as CN=dpatest,CN=Users,DC=XXXXX,DC=XXXXX,DC=com/password to
mydc.XXXX.com:389
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: user dpatest authenticated succesfully
modcall[authenticate]: module "ldap" returns ok
modcall: group Auth-Type returns ok
Sending Access-Accept of id 9 to 127.0.0.1:43633
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
[EMAIL PROTECTED] root]#
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf
> Of Dustin
> Doris
> Sent: Thursday, March 11, 2004 12:00 PM
> To: '[EMAIL PROTECTED]'
> Subject: Re: Active Directory Group Authentication
>
>
> On Thu, 11 Mar 2004, Albers Darren wrote:
>
> > Hello all,
> >
> > I am attempting to use FreeRadius to authenticate based on
> a group in active
> > directory. I have it performing authentication using LDAP against
> > Active-Directory fine, but I would like to restrict it
> based on group
> > membership. From what I can determine I should use the
> users file to enable
> > group authentication but I don't seem to have that done correctly.
> >
> > After reading the archives I read a great page:
> http://doris.name/radius/
> > that I think explains how to do what I want to do but
> whenever I add the
> > following to users:
> > DEFAULT Ldap-Group == My_group, Auth-Type := reject
> > Reply-Message = "Account disabled. Please call the
> helpdesk."
> >
> > it doesn't seem to matter who logs in, as long as they have
> a valid Active
> > Directory account and the password is the correct they are
> allowed in.
> > After searching through the archives again I still am at a
> loss, I am
> > obviously missing something but I am not sure what. Can
> someone point me in
> > the right direction?
> >
> > Thank you!
> >
> > Darren
> >
>
> How do you have the groupmembership part of ldap in
> radiusd.conf setup?
>
> Also, can you post an example radiusd -X output?
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
**********************************************************************
The information and any files contained in this e-mail message are property of
WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only for use
of the individual or entity named above. If the reader of this message is not the
intended recipient, or the employee or agent responsible to deliver it to the intended
recipient, you hereby are notified that use, dissemination, distribution or copying of
this information is strictly prohibited. If you have received this communication in
error, please immediately notify us by return e-mail and destroy the original message.
Thank you.
**********************************************************************
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
