On Sat, Jul 23, 2011 at 1:25 PM, vijaysingh <[email protected]> wrote: > Please find below the configuration and logs :- > > ################################################## > /etc/raddb/users > ################################################## > DEFAULT LDAP-Group == "CiscoRWL2Lr", Auth-Type := Accept
There you go. That line effectively means "if the user is member of CiscoRWL2Lr LDAP group, then accept it". Period. No password check whatsoever. I'd recommend you just remove all "Auth-Type := Accept" part ... > Reply-Message = "Welcome! You have administrative access.", > Service-Type = NAS-Prompt-User, > cisco-avpair = "shell:priv-lvl=15" > > DEFAULT LDAP-Group == "CiscoROL2Lr", Auth-Type := Accept > Reply-Message = "Welcome! You have limited access.", > Service-Type = NAS-Prompt-User, > cisco-avpair = "shell:priv-lvl=1" > > DEFAULT Auth-Type := Reject ... and simply use that Auth-Type := Reject to reject users not in the two LDAP groups. But that's only half of the problem. > [ldap] looking for check items in directory... > [ldap] looking for reply items in directory... > WARNING: No "known good" password was found in LDAP. Are you sure that the > user is configured correctly? the other half is that you're AD, which does not store plain text password or hand out NT-hashes. For this part try reading active directory guide on FR wiki or deployingradius.com -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
