Hi,
Am not able to see my authorization happening because I don't see the
value-attr or reply message. Please help. Logs attached.
rad_recv: Access-Request packet from host 192.168.0.2 port 39662, id=92,
length=62
User-Name = "radiustest"
User-Password = "password@123"
NAS-IP-Address = 192.168.0.2
NAS-Port = 1812
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.0.2/auth-detail-20130128
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.0.2/auth-detail-20130128
[auth_log] expand: %t -> Mon Jan 28 10:12:16 2013
++[auth_log] returns ok
[ldap] performing user authorization for radiustest
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> radiustest
[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) ->
(&(sAMAccountName=radiustest))
[ldap] expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=users,dc=example,dc=com, with filter
(&(sAMAccountName=radiustest))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = ldap
[ldap] user radiustest authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "radiustest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ldap] performing user authorization for radiustest
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> radiustest
[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) ->
(&(sAMAccountName=radiustest))
[ldap] expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=users,dc=example,dc=com, with filter
(&(sAMAccountName=radiustest))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user radiustest authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = ldap
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "radiustest" with password "password@123"
[ldap] user DN: CN=radiustest,CN=Users,DC=example,DC=com
[ldap] (re)connect to 192.168.0.3:389, authentication 1
[ldap] bind as CN=radiustest,CN=Users,DC=example,DC=com/password@123 to
192.168.0.3:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user radiustest authenticated succesfully
++[ldap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 92 to 192.168.0.2 port 39662
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 92 with timestamp +88
Ready to process requests.
Regards,
/Neo
Sent from my iPhone
On 25-Jan-2013, at 3:32 AM, [email protected] wrote:
> Hi,
>
>> Do you mean the below in the "users" file?
>>
>> cisco Auth-Type := LDAP
>>
>> Service-Type = Administrative-User,
>> cisco-avpair = "shell:priv-lvl=15"
>
> no.
>
> cisco Auth-Type := LDAP
> Service-Type = Administrative-User,
> cisco-avpair = "shell:priv-lvl=15"
>
>
> (see all the examples in the users file)
>
> alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
