Re: authentification
On 2010/05/18 10:47 PM, dorra aa wrote: is there somebody want to tell what's the utility of it? From: dj_dido2...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: authentification Date: Tue, 18 May 2010 19:40:28 + hi freeradius, i want to ask how to use MAC Address Authentication in my freeradius. besides, i add an address mac with the daloradius. how can i test the succes of that thnak you Have a look here. http://catb.org/~esr/faqs/smart-questions.html Also here. http://catb.org/~esr/faqs/smart-questions.html#homework -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on 2.1.7 during HUP
coja wrote: Could you please tell me how i can include my pins file to users file. When i write line like $INCLUDE pins in the beginning of the users file, i can see how that line will disapear after reload or restart. Huh? The users file is reloaded, along with all $INCLUDE files. Maybe try using an absolute path for the $INCLUDE? I use web interface for PIN file and it has special rights for apache. Are there exist ways to do it somehow or i shoul work with users file through interface? Have you thought about using a database? That's really what they're for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory as PKI
Hello freeradius users/admins, I'm trying to implement EAP-TLS authorization with freeradius and Active Directory Certificates Service, but I'm stuck here... With keys/certificates, generated with freeradius makefile(/etc/raddb/certs) everything is working fine. Here is the hierarchy of keys generated by freeradius: Ca.crt(+ca.key) || server.crt(+servers.key) //issuer ca.crt || client1.crt client2.crt . //issuer server.crt Apart from this scheme, Active Directory stores certificates in a way: Ca.crt(key in AD and cannot used by freeradius) || sub_ca.crt(key in AD and cannot used by freeradius) //issuer ca.crt || server.crt(+key) //issuer sub_ca.crt (this is for private_key_file and certificate_file in freeradius config) || client1.crt client2.crt . //issuer sub_ca.crt I'm concatenate ca.crt file with sub_ca.crt, openssl verify produces OK. # openssl verify -CAfile ca.crt clent.crt clent.crt: OK But trying to authenticate from client I got error - unknown_ca. I have attached full debug log. client(wpa_supplient) - wifi-access(linksys with dd-wrt) - server(freeradius-2.1.7) wpa_supplient.conf: network={ ssid=work proto=RSN key_mgmt=WPA-EAP pairwise=CCMP eap=TLS identity=radius ca_cert=/home/work/ca.crt client_cert=/home/work/wifi_client.crt private_key=/home/work/wifi_client.key private_key_passwd= priority=1 } freeradius relevant section: tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = /etc/raddb/certs/win/server.key //generated from sub_ca certificate_file = /etc/raddb/certs/win/server.crt //generated from sub_ca CA_file = /etc/raddb/certs/win/ca.crt //concatenated ca.crt + sub_ca.crt from windows store dh_file = /etc/raddb/certs/dh //generated by makefile random_file = /etc/raddb/certs/random //generated by makefile fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT } Note: Server.crt and client.crt has all necessary extensions(OIDs) - TLS Web Server Authentication and TLS Web Client Authentication My question - is it able to organize such scheme - freeradius + windows certificate center? Is client.crt MUST be issued by server.crt or they both MAY be issued by higher level ca, like Active Directory does? If this has been discussed before - please, point me in right direction.Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.93 port 2048, id=0, length=167 User-Name = koshiko...@agromat.intranet NAS-IP-Address = 192.168.1.93 Called-Station-Id = 687f7402229e Calling-Station-Id = 001b77a5bd59 NAS-Identifier = 687f7402229e NAS-Port = 1 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0220016b6f7368696b6f762e6e406167726f6d61742e696e7472616e6574 Message-Authenticator = 0x6f74a60a7122ce86332f6c12f0a58b2d +- entering group authorize {...} ++[mschap] returns noop [ntdomain] No '\' in User-Name = koshiko...@agromat.intranet, looking up realm NULL [ntdomain] Found realm DEFAULT [ntdomain] Adding Stripped-User-Name = koshiko...@agromat.intranet [ntdomain] Adding Realm = DEFAULT [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 0 length 32 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.93 port 2048 EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0x786df611786cfbdfbe03eb20394d9de8 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.93 port 2048, id=0, length=268 Cleaning up request 0 ID 0 with timestamp +68 User-Name = koshiko...@agromat.intranet NAS-IP-Address = 192.168.1.93 Called-Station-Id = 687f7402229e Calling-Station-Id = 001b77a5bd59 NAS-Identifier = 687f7402229e NAS-Port = 1 Framed-MTU = 1400 State = 0x786df611786cfbdfbe03eb20394d9de8 NAS-Port-Type = Wireless-802.11 EAP-Message =
problem whit home_server template
Hello, I'm workimg with Freeradius 2.1.8. I would like to use templates in my proxy.conf file to define some home servers. My templates.conf file is: /etc/freeradius# cat templates.conf templates { home_server tldrediris { type = auth+acct port =1812 secret = #src_ipaddr = 127.0.0.1 require_message_authenticator = no response_window = 20 #no_response_fail = no zombie_period = 40 revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } } Then, in radiusd.conf I include this file: $INCLUDE templates.conf And, if I have in proxy.conf file template = tldrediris, when FreeRADIUS starts doest take the values defines in templates.conf: /etc/freeradius# cat proxy.conf home_server tld-rediris1 { template = tldrediris ipaddr = X.X.X.X } /etc/freeradius# freeradius -X FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 3 2010 at 14:14:04 . . . including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/templates.conf including configuration file /etc/freeradius/proxy.conf . . . home_server tld-rediris1 { ipaddr = X.X.X.X port = 0 response_window = 30 max_outstanding = 65536 zombie_period = 40 status_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } /etc/freeradius/proxy.conf[26]: No port, or invalid port defined for home server tld-rediris1. In the other hand, if I use $template tldrediris in templates.conf, FreeRADIUS doesn't know tldrediris: /etc/freeradius# cat proxy.conf home_server tld-rediris1 { $template tldrediris ipaddr = X.X.X.X } /etc/freeradius# freeradius -X FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 3 2010 at 14:14:04 . . . including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/templates.conf including configuration file /etc/freeradius/proxy.conf WARNING: No such configuration item tldrediris /etc/freeradius/proxy.conf[27]: Reference tldrediris not found Errors reading /etc/freeradius/radiusd.conf I remember this: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59018.html Sorry for my english and thankyou very much. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
State of 2.x?
Hi, We're running 1.1.8 on FreeBSD 5.3 and have been delaying the move to 2.x until absolutely necessary. Given the recent libtool22 issues, I'm thinking it's time to move. Just wondering if people would recommend moving now to 2.1.9 or waiting a while longer for a stable 2.2? Thanks -- Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hostname variable ?
Hello Freeradius-Users, Is there any way to reference hostname (in fact hostname -s) in configuration files, in order to have identical configuration files tree on both a normal and a backup freeradius 2.1.8 server ? For example, to manage differents listen addresse on normal and backup : suppose a variable %{hostname} contains result of command hostname -s, On both normal and backup servers, we could have this : $INCLUDE %{hostname}.listen.conf # expands as $INCLUDE normal.listen.conf on so called normal server # expands as $INCLUDE backup.listen.conf on so called backup server /etc/raddb/normal.listen.conf : listen { type = auth port = 1812 ipaddr = 10.1.1.1 } listen { type = acct port = 1813 ipaddr = 10.1.1.1 } . /etc/raddb/backup.listen.conf listen { type = auth port = 1812 ipaddr = 10.1.1.2 } listen { type = acct port = 1813 ipaddr = 10.1.1.2 } . best regards, Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FTP and Telnet request to RADIUS server
Hi, Can we use RADIUS server to validate the user trying to access the NAS using ftp or telnet session. Regards Arjun prasad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FTP and Telnet request to RADIUS server
Arjun Prasad wrote: Hi, Can we use RADIUS server to validate the user trying to access the NAS using ftp or telnet session. Will your NAS send RADIUS requests when the user tries to access the NAS using a ftp or telnet session? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hostname variable ?
Fred MAISON wrote: Is there any way to reference hostname (in fact hostname -s) in configuration files, in order to have identical configuration files tree on both a normal and a backup freeradius 2.1.8 server ? $ENV{HOSTNAME} refers to the environment variable HOSTNAME. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: State of 2.x?
Alex French wrote: We're running 1.1.8 on FreeBSD 5.3 and have been delaying the move to 2.x until absolutely necessary. Given the recent libtool22 issues, I'm thinking it's time to move. Just wondering if people would recommend moving now to 2.1.9 or waiting a while longer for a stable 2.2? Use 2.1.9, which should come out tomorrow or Monday. 2.2.0 is for major new features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building and sending Acct packets
I have some use cases, where I have to send an Accounting packet to an RADIUS Accounting Server to provision the user on this server. The trigger for that accounting packet must not be necessarily an accounting packet, coming from a NAS. It might also be a RADIUS Access Request. I will build the packet, only containing the Acct-status-type = start Calling-station-id = what I got from NAS Filter-id = something And all the things, needed by rfc, like the acct-session-id. So for me, the best option would be to configure a line like provison_serverA What would be the module, I have to configure for that reason? My Process does not require me, to wail for an ACK, to go on. What would be a configuration option for this? Thank You. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: State of 2.x?
Hi, Use 2.1.9, which should come out tomorrow or Monday. been running 2.1.9 on some systems now since its pre-release with no issues noted so far 2.2.0 is for major new features. ...and is therefore likely to be 'unstable' compared to 2.1.x alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: State of 2.x?
Thanks Alan Alan, that's what I wanted to know. -- Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: MS AD / OpenLDAP with PAP - is it really not possible ?
Hello I have got application that allow only to authenticate using PAP method. My Goal would bo to use Active Directory as a abckend User Database, but I found that: Once the PAP authentication test has been successful, the next step for sites using Active Directory is to configure the system to perform user authentication against Active Directory. The clear-text passwords are unavailable through Active Directory, so we have to use Samba Is it true ? The same page describing to use ntlm_auth instead, But I cannot found how to pass attributes from LDAP Database using ntlm_auth to Radius Client. Is it possible to reply attributes from LDAP using ntlm_auth ? Best Regars Pawel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hostname variable ?
Great ! Thanks, Alan. Le jeudi 20 mai 2010 à 13:39 +0200, Alan DeKok a écrit : Fred MAISON wrote: Is there any way to reference hostname (in fact hostname -s) in configuration files, in order to have identical configuration files tree on both a normal and a backup freeradius 2.1.8 server ? $ENV{HOSTNAME} refers to the environment variable HOSTNAME. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certs files missing?
On Wed, May 19, 2010 at 01:25:56PM -0600, shirkavand wrote: $ cd /etc/raddb/certs $ make but in my freeradius installation the certs folder does not have any make file, so if i try to run above commands i get errors. In fact my installation does not have several files that the tutorial suppose that should exist, they are: Any idea why these files are missing? Use the package and you'll probably get the certificates automatically, or find those template example files in /usr/share/doc/freeradius/examples -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on 2.1.7 during HUP
Alan DeKok-2 wrote: coja wrote: Could you please tell me how i can include my pins file to users file. When i write line like $INCLUDE pins in the beginning of the users file, i can see how that line will disapear after reload or restart. Huh? The users file is reloaded, along with all $INCLUDE files. Maybe try using an absolute path for the $INCLUDE? I use web interface for PIN file and it has special rights for apache. Are there exist ways to do it somehow or i shoul work with users file through interface? Have you thought about using a database? That's really what they're for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hello All! I solved that problem. I've just written $INCLUDE ./users.other and the problem gone. I can't use databases, because it's so complicated to replicate databases between offices. I store accounting of different brench offices in 5 databases. Ok i will try to find a way how to replicate only the pins file and import it to the databases. Thank You! -- View this message in context: http://old.nabble.com/Segmentation-fault-on-2.1.7-during-HUP-tp28590790p28622279.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + mysql trouble
I was simply using the debian package manager version, seams to work file for what I need. is version of freeradius supplied by distro or package manager? have you uncommented calls to sql - eg in the default server or inner-tunnel (look in the required/needed sections, eg authorize, authenticate etc). i also note you dont have SSL support so wont be able to do any EAP stuff. alan That was exactly the problem, none of the docs mention that file which is why I missed it. Part way through, it says: Edit /etc/raddb/sites-available/default ... You didn't do that. # /usr/sbin/freeradius -X FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at 23:35:34 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building and sending Acct packets
Stefan A. wrote: I have some use cases, where I have to send an Accounting packet to an RADIUS Accounting Server to provision the user on this server. The trigger for that accounting packet must not be necessarily an accounting packet, coming from a NAS. It might also be a RADIUS Access Request. ... So for me, the best option would be to configure a line like provison_serverA What would be the module, I have to configure for that reason? There is no module to do that. My Process does not require me, to wail for an ACK, to go on… What would be a configuration option for this? There is no configuration option to do that. You can run radclient as an external program. See rlm_exec, and man radclient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: MS AD / OpenLDAP with PAP - is it really not possible ?
Pawel Cieplinski wrote: I have got application that allow only to authenticate using PAP method. My Goal would bo to use Active Directory as a abckend User Database, but I found that: It should work. Once the PAP authentication test has been successful, the next step for sites using Active Directory is to configure the system to perform user authentication against Active Directory. The clear-text passwords are unavailable through Active Directory, so we have to use Samba Is it true ? sigh *IF* you're trying to configure EAP. That is one step out of many. It tests that AD integration works before going on to the next step. The same page describing to use ntlm_auth instead, But I cannot found how to pass attributes from LDAP Database using ntlm_auth to Radius Client. Is it possible to reply attributes from LDAP using ntlm_auth ? No. For PAP, configure AD as an LDAP server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certs files missing?
Use the package and you'll probably get the certificates automatically So i can avoid to execute make in /usr/share/doc/freeradius/examples etc etc for generating test certificates? then i can use the defaults ones that are stored into /etc/freeradius/certs that came with the normal package installation? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating groups via LDAP
I really didn't want to post here, but I just can't make any headway with my radius implementation. I am very new at this and still quite confused on how the various config files function and interact with each other. So, I'm not surprised that my implementation is only sort of working. I have installed freeradius 2.1.8 on Ubuntu Server 8.04 by making deb packages from the source and installing the deb packages. Radius is relying on an LDAP server for authentication of wireless clients. Only clients with valid usernames and passwords in LDAP will get authenticated. What I would really like to do (other than actually be able to understand the concepts behind the config files) is require clients to be in a particular LDAP group (e.g., wireless-users) in order to successfully authenticate. I don't understand how to make that happen. I've tried creating group filters like this in modules/ldap: groupname_attribute = cn groupmembership_filter = ((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) groupmembership_attribute = memberUid and this in users: DEFAULT LDAP-GROUP == vpn-users Service-Type = Administrative-User But the output seems to indicate that it is not even considering my radiusd.conf config when it comes to the filter. (see output below). I would so welcome assistance with this. In addition, is there any resource that is particularly good at explaining how radius and its config files really works? Thanks. John # freeradius -X FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on May 14 2010 at 09:29:10 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/ldap.dpkg-old including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including
wildcard matching on username?
I'm running freeradius 2.1.8 with a MySQL backend. I'm want to do MAC based authentication for network access control on my switch. Is it possible to specify a wildcard for the username (mac address)? That is, if I have a bunch of computers with the same OUI on the NIC's, how do I configure freeradius to just match on the OUI without adding each MAC address as a user? Thanks for any tips and insights. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ISG DHCP relay
On May 18, 2010, at 6:34 AM, Alan Buxey wrote: Hi, not quite in the same category :-P perhaps more people need to read 'how to ask questions...' ? http://catb.org/~esr/faqs/smart-questions.html very good resource! Often, the person telling you to do a search has the manual or the web page with the information you need open, and is looking at it as he or she types. These replies mean that he thinks (a) the information you need is easy to find, and (b) you will learn more if you seek out the information than if you have it spoon-fed to you. You shouldn't be offended by this; by hacker standards, your respondent is showing you a rough kind of respect simply by not ignoring you. You should instead be thankful for this grandmotherly kindness. Made me smile :) -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating groups via LDAP
On 05/20/2010 05:44 PM, John Maher wrote: I really didn't want to post here, but I just can't make any headway with my radius implementation. I am very new at this and still quite confused on how the various config files function and interact with each other. So, I'm not surprised that my implementation is only sort of working. I have installed freeradius 2.1.8 on Ubuntu Server 8.04 by making deb packages from the source and installing the deb packages. Radius is relying on an LDAP server for authentication of wireless clients. Only clients with valid usernames and passwords in LDAP will get authenticated. What I would really like to do (other than actually be able to understand the concepts behind the config files) is require clients to be in a particular LDAP group (e.g., wireless-users) in order to successfully authenticate. I don't understand how to make that happen. I've tried creating group filters like this in modules/ldap: groupname_attribute = cn groupmembership_filter = ((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) groupmembership_attribute = memberUid and this in users: DEFAULT LDAP-GROUP == vpn-users Service-Type = Administrative-User But the output seems to indicate that it is not even considering my radiusd.conf config when it comes to the filter. (see output below). I would so welcome assistance with this. In addition, is there any resource that is particularly good at explaining how radius and its config files really works? I feel your pain, the ldap module is poorly documented and hard to use. There is doc in doc/ldap_howto.txt, not sure where that might be installed on Ubuntu though. Just a caveat about that ldap_howto.txt, it's a bit out of date and was written with a particular configuration in mind, but you do need to wrap your head around it to understand where values are coming from. ldap-group isn't very meaningful to set in the users file because it's an attribute in the ldap directory. In fact using the users file isn't generally useful in combination with with ldap because your users are in ldap, not a flat file, right? The users file can be useful when you want to match on the NAS via huntgroups, the ldap_howto does a fair job of illustrating that. So anyway you won't ever find vpn-users defined via the users file because the line you have won't be matched by anything Why? Because group gets set via ldap lookups using the groupmembership_filter and asking for the groupname_attribute for what the filter matched. So one question to ask is: is your ldap directory populated with the object classes and attributes this filter is searching for? As an aside one of the very first things I noticed looking at your debug output is the ldap module was built to use the Novell eDirectory server (which is a compile time switch). Unless you're using the Novell eDirectory server rather than a generic directory server things are going to behave a bit weird. Any idea why it's built to use Novell? Anyway that's probably not the crux of your problem at the moment, just a data point. I don't know why the eDirectory #ifdef's are even in rlm_ldap, to be honest they seem to be odd to put it politely. I don't have time at the moment to fully analyze what's going on in your set up but one of the very first things I noticed was this: (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=))) Notice something? Ldap-UserDn was replaced by the empty string and that search filter isn't going to do you much good is it? So where does Ldap-UserDn come from? From doing a search in LDAP for the user. If the user is found then Ldap-UserDn is set to the location at which the user was found (think of a dn (i.e. distinguished name) as an address or pointer in an LDAP directory). So how was the search done to find the user? Well that's just a couple of lines above in the debug output: [ldap] performing search in dc=cns, with filter (uid=jmaher) One of the frustrating things about rlm_ldap is it doesn't provide debug output on successful searches, only failures. There is no failure, so we assume the search succeeded, but we really don't know what the result was :-( As a debugging tip I would suggest running ldapsearch on the command line with the same filter and see what you get back. You should get back a ldap search result with exactly one match with a specific dn, that dn is what should be showing up as Ldap-UserDn in rlm_ldap. So for starters you need to either populate your directory such that ldapsearch finds your user using the same parameters you configured in rlm_ldap, or you need to modify the parameters in rlm_ldap to match your directory such that it can find the user. That's a good starting place from which you can build further functionality. Hope