Hi, It doesn't llok like you are using ad authentication Are you trying to set up ntlm_auth ?
Here is a good description : http://deployingradius.com/documents/configuration/active_directory.html Regards Paul On Thu, 2009-11-19 at 21:37 +0000, Michael Phillips wrote: > Hello All, > > I need some help authenticating against AD. I have followed directions > online as best as I can, but things still aren't working as expected. > I'm ultimately hoping to have our VPN users and admins logging into > Cisco network equipment authenticate against AD through our FreeRADIUS > 2 installation. Today, I have been testing authentication from one of > Cisco switches, and I continually receive this basic output: > > rad_recv: Access-Request packet from host w.x.y.z port 37611, id=147, > length=61 > User-Name = "mphillips" > User-Password = "xxxx" > NAS-IP-Address = w.x.y.z > NAS-Port = 2000 > Thu Nov 19 16:17:34 2009 : Info: +- entering group authorize {...} > Thu Nov 19 16:17:34 2009 : Info: ++[preprocess] returns ok > Thu Nov 19 16:17:34 2009 : Info: [suffix] No '@' in User-Name = > "mphillips", looking up realm NULL > Thu Nov 19 16:17:34 2009 : Info: [suffix] No such realm "NULL" > Thu Nov 19 16:17:34 2009 : Info: ++[suffix] returns noop > Thu Nov 19 16:17:34 2009 : Info: [eap] No EAP-Message, not doing EAP > Thu Nov 19 16:17:34 2009 : Info: ++[eap] returns noop > Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated > Thu Nov 19 16:17:34 2009 : Info: ++[files] returns noop > Thu Nov 19 16:17:34 2009 : Info: ++[expiration] returns noop > Thu Nov 19 16:17:34 2009 : Info: ++[logintime] returns noop > Thu Nov 19 16:17:34 2009 : Info: ++[pap] returns updated > Thu Nov 19 16:17:34 2009 : Info: Found Auth-Type = PAP > Thu Nov 19 16:17:34 2009 : Info: +- entering group PAP {...} > Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password > "xxxx" > Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption. > Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match > Thu Nov 19 16:17:34 2009 : Info: ++[pap] returns reject > Thu Nov 19 16:17:34 2009 : Info: Failed to authenticate the user. > Thu Nov 19 16:17:34 2009 : Auth: Login incorrect (rlm_pap: CRYPT > password check failed): [mphillips/xxxx] (from client w.x.y.z port > 2000) > Thu Nov 19 16:17:34 2009 : Info: Using Post-Auth-Type Reject > Thu Nov 19 16:17:34 2009 : Info: +- entering group REJECT {..} > Thu Nov 19 16:17:34 2009 : Info: [attr_filter.access_reject] > expand: %{User-Name} -> mphillips > Thu Nov 19 16:17:34 2009 : Debug: attr_filter: Matched entry DEFAULT > at line 11 > Thu Nov 19 16:17:34 2009 : Info: ++[attr_filter.access_reject] returns > updated > Thu Nov 19 16:17:34 2009 : Info: Delaying reject of request 5 for 1 > seconds > Thu Nov 19 16:17:34 2009 : Debug: Going to the next request > Thu Nov 19 16:17:34 2009 : Debug: Waking up in 0.9 seconds. > Thu Nov 19 16:17:36 2009 : Info: Sending delayed reject for request 5 > Sending Access-Reject of id 147 to w.x.y.z port 37611 > Thu Nov 19 16:17:36 2009 : Debug: Waking up in 4.6 seconds. > Thu Nov 19 16:17:42 2009 : Info: Cleaning up request 5 ID 147 with > timestamp +1181 > Thu Nov 19 16:17:42 2009 : Debug: Ready to process requests. > > > I can't tell from this output if the RADIUS server is ever even > attempting to reach AD. Obviously, if I enter the correct password for > my username on the RADIUS server itself, authentication will succeed, > but this is not the desired behavior at this time. > > Any help is greatly appreciated. > > Michael Phillips > > > > ______________________________________________________________________ > Hotmail: Trusted email with Microsoft's powerful SPAM protection. Sign > up now. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html