FreeRadius cannot Authenticate to Windows AD

Michael Calizo mike.calizo at gmail.com
Mon Dec 19 06:26:45 CET 2005 

Alhagie,

Hey, i made it work now.. I can now authenticate to my MSAD... Tnx for the
hints.: My radius.conf looks like this now... I can now even make my CISCO
1700 dial-in server to authenticate to my MSAD.


ldap {
                server = "192.168.1.1"
                #identity = "cn=admin,o=My Org,c=UA"
                 identity = "mike at domain.com
                 password = mike123
                # password = mypass
                basedn = "CN=Users,DC=domain,DC=com"
                filter =
"(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"



Tnx for your help...




On 12/19/05, Michael Calizo <mike.calizo at gmail.com> wrote:
>
> Hi Alhagie,
>
> Below is my ldap search result which i found it that it can connect to
> MSAD. But when i configure my radiusd.conf  Ldap part as shown below.
>
> ldap {
>                 server = "192.168.1.1"
>                 #identity = "cn=admin,o=My Org,c=UA"
>                 # password = mypass
>                 basedn = "CN=Person,DC=chikka,DC=ph"
>                 filter =
> "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
>                 # base_filter = "(objectclass=radiusprofile)"
>
>                 start_tls = no
> }
>
> I STILL GET THIS ERROR BELOW WHEN I TRY TO USE RADTEST AS SHOWN BELOW:
>
> radtest mike mike123 192.168.1.13:1812 1812 testing1234
> Sending Access-Request of id 185 to 192.168.1.13:1812
>         User-Name = "mike"
>         User-Password = "mike123"
>         NAS-IP-Address = repository.domain.com
>         NAS-Port = 1812
> rad_recv: Access-Reject packet from host 192.168.1.13:1812, id=185,
> length=20
>
> RADIUSD LOG:
>
> rlm_ldap: login attempt by "mike" with password "mike123"
> radius_xlat:  '(SamAccountName=mike)'
> radius_xlat:  'CN=Person,DC=chikka,DC=ph'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0
> rlm_ldap: bind as / to 192.168.1.1:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in CN=Person,DC=chikka,DC=ph, with filter
> (SamAccountName=mike)
> rlm_ldap: ldap_search() failed: Operations error
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authenticate]: module "ldap" returns fail for request 0
> modcall: group Auth-Type returns fail for request 0
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 185 to 192.168.1.13:37977
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 185 with timestamp 43a61b6c
> Nothing to do.  Sleeping until we see a request.
>
>
> LDAPSEARCH RESULT
>
> [root at repository ~]# ldapsearch -LLL -h 192.168.1.1 -x -b
> 'dc=domain,dc=com' '(samaccountname=mike)' -D mike -w mike123
> dn: CN=mike,CN=Users,DC=domain,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: mike
> givenName: mike
> distinguishedName: CN=mike,CN=Users,DC=domain,DC=com
> instanceType: 4
> whenCreated: 20050616031658.0Z
> whenChanged: 20051201135642.0Z
> displayName: mike
> uSNCreated: 11557650
> memberOf: CN=svnusers,CN=Users,DC=domain,DC=com
> memberOf: CN=noc,CN=Users,DC=domain,DC=com
> memberOf: CN=QA,CN=Users,DC=domain,DC=com
> uSNChanged: 12322817
> name: mike
> objectGUID:: vSHdzG0AG02jW9AZzurvqQ==
> userAccountControl: 66048
> badPwdCount: 2
> codePage: 0
> countryCode: 0
> badPasswordTime: 127792025390218068
> lastLogoff: 0
> lastLogon: 127758129860897359
> pwdLastSet: 127779190022698471
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAc+SiCBWZJKtAqKm9ZQUAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: mike
> sAMAccountType: 805306368
> userPrincipalName: mike at domain.com
> lockoutTime: 0
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
>
> # refldap://ForestDnsZones.domain.com/DC=ForestDnsZones,DC=domain,DC=com
>
> # refldap://DomainDnsZones.domain/DC=DomainDnsZones,DC=doamin,DC=com
>
> # refldap://chikka.ph/CN=Configuration,DC=doamin,DC=com
>
>
> Thnx in advance,
>
>
>
> --
> Mike Calizo
> Registered Linux User # 365113
>
> _________________________________________________
> Even the longest journey has to start with a small first-step
>
>



--
Mike Calizo
Registered Linux User # 365113

_________________________________________________
Even the longest journey has to start with a small first-step
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051219/6f5c779b/attachment.html>

More information about the Freeradius-Users mailing list