Same thing has happened, I still can not authenticate to WindowsAD. Same Error is displayed when i debug radiusd....
I put quotes arround password..
radtest user 'mypass' 192.168.1.1:1812 1812 testing123
or
radtest user 'mypass' 192.168.1.1:1812 1812 testing123
What do you think is the problem?
On 12/16/05, Alhagie Puye <[EMAIL PROTECTED]> wrote:
Put quotes around the password....one thing I learned. That will take you further.I have a working config. So, please let me know if you are still running into problems.P.S.I will be posting a doc on the wiki once I'm done with testing.Alhagie Puye - Network Engineer
Datawave Group of Companies
(604)295-1817
This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael Calizo
Sent: December 15, 2005 8:26 PM
To: [email protected]
Subject: FreeRadius cannot Authenticate to Windows ADHi Guru's,
I have installed freeradius and used each LDAP module to authenticate to WINDOWS 2003 AD. The problem is it cant do the authentication, seems that i missed the radius.conf LDAP module configuration which causes the LDAP module to failed when connecting to MSAD. Below is my radius.conf config file.
Hoping that you guys can help me, coz i have been googling all day for this config and i can not make this thing work... Thnx in advance..
radius.conf:
ldap {
server = "oberon.chikka.ph"
# identity = "cn=admin,o=My Org,c=UA"
identity = "cn=backops,cn=Admin,dc=chikka,dc=ph"
password = [EMAIL PROTECTED]@n
# password = mypass
basedn = "dc=chikka,dc=ph"
# filter = "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
#filter = "(SamAccountName=%U)"
#filter = "(SamAccountName=%u)"
# base_filter = "(objectclass=radiusprofile)"
base_filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=Admin,DC=chikka,DC=ph))"
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
ictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
Here is my the radiusd -X -A LOG...
rad_recv: Access-Request packet from host 192.168.1.13:37146, id=42, length=59
User-Name = "myaccount"
User-Password = "mypass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "myaccount", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "myaccount" with password "mypass"
radius_xlat: '(&(sAMAccountName=myaccount)'
radius_xlat: 'dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0
rlm_ldap: bind as cn=backops,cn=Admin,dc=domain,dc=com/passofbackops to 192.168.1.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf
rlm_ldap: (re)connection attempt failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns fail for request 0
modcall: group Auth-Type returns fail for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 42 to 192.168.1.13:37146
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 42 with timestamp 43a23bb5
Nothing to do. Sleeping until we see a request.
--
Mike Calizo
Registered Linux User # 365113
_________________________________________________
Even the longest journey has to start with a small first-step
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Mike Calizo
Registered Linux User # 365113
_________________________________________________
Even the longest journey has to start with a small first-step
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
