Authenticating to a Windows 2003 active directory

[Ken George]

Does anyone have a working radiusd.conf and users file I could see as I
have been unsuccessful configuring
Freeradius 1.0.1 to talk to my Active Directory.

When I try to test with radtest I get the following:


[root at phllnxsrv01 freeradius-1.0.4]# radtest "ken george" "xxxxxx"
localhost 1 testing123
Sending Access-Request of id 105 to 127.0.0.1:1812
        User-Name = "ken george"
        User-Password = "xxxxxx"
        NAS-IP-Address = phllnxsrv01
        NAS-Port = 1
Re-sending Access-Request of id 105 to 127.0.0.1:1812
        User-Name = "ken george"
        User-Password = "\030\035`\222\375Q\267\301\357\270O\352\335Kj3"
        NAS-IP-Address = phllnxsrv01
        NAS-Port = 1
Re-sending Access-Request of id 105 to 127.0.0.1:1812
        User-Name = "ken george"
        User-Password = "\030\035`\222\375Q\267\301\357\270O\352\335Kj3"
        NAS-IP-Address = phllnxsrv01
        NAS-Port = 1

Is my radtest string correct?

Exerpts from radiusd.conf and users follow:

Radiusd.conf


	# Lightweight Directory Access Protocol (LDAP)
	#
	#  This module definition allows you to use LDAP for
	#  authorization and authentication (Auth-Type := LDAP)
	#
	#  See doc/rlm_ldap for description of configuration options 
	#  and sample authorize{} and authenticate{} blocks 
	ldap {
		server = "phldcsrv01.us.mi-services.net"
		identity = "cn=ken george,o=US
Users,c=us.mi-services.net"
		password = 262144
		basedn = "o=phldcsrv01,c=us.mi-services.net"
		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
		# base_filter = "(objectclass=radiusprofile)"

		# set this to 'yes' to use TLS encrypted connections
		# to the LDAP database by using the StartTLS extended
		# operation.
		# The StartTLS operation is supposed to be used with
normal
		# ldap connections instead of using ldaps (port 689)
connections
		start_tls = no

		# tls_cacertfile	= /path/to/cacert.pem
		# tls_cacertdir		= /path/to/ca/dir/
		# tls_certfile		= /path/to/radius.crt
		# tls_keyfile		= /path/to/radius.key
		# tls_randfile		= /path/to/rnd
		# tls_require_cert	= "demand"

		# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
		# profile_attribute = "radiusProfileDn"
		access_attr = "dialupAccess"

		# Mapping of RADIUS dictionary attributes to LDAP
		# directory attributes.
		dictionary_mapping = ${raddbdir}/ldap.attrmap

		ldap_connections_number = 5

		#
		# NOTICE: The password_header directive is NOT case
insensitive
		#
		# password_header = "{clear}"
		#
		#  The server can usually figure this out on its own,
and pull
		#  the correct User-Password or NT-Password from the
database.
		#
		#  Note that NT-Passwords MUST be stored as a 32-digit
hex
		#  string, and MUST start off with "0x", such as:
		#
		#	0x000102030405060708090a0b0c0d0e0f
		#
		#  Without the leading "0x", NT-Passwords will not work.
		#  This goes for NT-Passwords stored in SQL, too.
		#
		# password_attribute = userPassword
		# groupname_attribute = cn
		# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
		# groupmembership_attribute = radiusGroupName
		timeout = 4
		timelimit = 3
		net_timeout = 1
		# compare_check_items = yes
		# do_xlat = yes
		# access_attr_used_for_allow = yes
	}

(output suppressed)

authorize {
	#
	#  The preprocess module takes care of sanitizing some bizarre
	#  attributes in the request, and turning them into attributes
	#  which are more standard.
	#
	#  It takes care of processing the 'raddb/hints' and the
	#  'raddb/huntgroups' files.
	#
	#  It also adds the %{Client-IP-Address} attribute to the
request.
	preprocess

	#
	#  If you want to have a log of authentication requests,
	#  un-comment the following line, and the 'detail auth_log'
	#  section, above.
#	auth_log
	
#	attr_filter

	#
	#  The chap module will set 'Auth-Type := CHAP' if we are
	#  handling a CHAP request and Auth-Type has not already been
set
	chap

	#
	#  If the users are logging in with an MS-CHAP-Challenge
	#  attribute for authentication, the mschap module will find
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type :=
MS-CHAP'
	#  to the request, which will cause the server to then use
	#  the mschap module for authentication.
	mschap

	#
	#  If you have a Cisco SIP server authenticating against
	#  FreeRADIUS, uncomment the following line, and the 'digest'
	#  line in the 'authenticate' section.
#	digest

	#
	#  Look for IPASS style 'realm/', and if not found, look for
	#  '@realm', and decide whether or not to proxy, based on
	#  that.
#	IPASS

	#
	#  If you are using multiple kinds of realms, you probably
	#  want to set "ignore_null = yes" for all of them.
	#  Otherwise, when the first style of realm doesn't match,
	#  the other styles won't be checked.
	#
	suffix
#	ntdomain

	#
	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
	#  authentication.
	#
	#  It also sets the EAP-Type attribute in the request
	#  attribute list to the EAP type from the packet.
	eap

	#
	#  Read the 'users' file
	files

	#
	#  Look in an SQL database.  The schema of the database
	#  is meant to mirror the "users" file.
	#
	#  See "Authorization Queries" in sql.conf
#	sql

	#
	#  If you are using /etc/smbpasswd, and are also doing
	#  mschap authentication, the un-comment this line, and
	#  configure the 'etc_smbpasswd' module, above.
#	etc_smbpasswd

	#
	#  The ldap module will set Auth-Type to LDAP if it has not
	#  already been set
	ldap

	#
	#  Enforce daily limits on time spent logged in.
#	daily

	#
	# Use the checkval module
#	checkval
}


#  Authentication.
#
#
#  This section lists which modules are available for authentication.
#  Note that it does NOT mean 'try each module in order'.  It means
#  that a module from the 'authorize' section adds a configuration
#  attribute 'Auth-Type := FOO'.  That authentication type is then
#  used to pick the apropriate module from the list below.
#

#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
#  will figure it out on its own, and will do the right thing.  The
#  most common side effect of erroneously setting the Auth-Type
#  attribute is that one authentication method will work, but the
#  others will not.
#
#  The common reasons to set the Auth-Type attribute by hand
#  is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
	#
	#  PAP authentication, when a back-end database listed
	#  in the 'authorize' section supplies a password.  The
	#  password can be clear-text, or encrypted.
	Auth-Type PAP {
		pap
	}

	#
	#  Most people want CHAP authentication
	#  A back-end database listed in the 'authorize' section
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
	#  won't work.
	Auth-Type CHAP {
		chap
	}

	#
	#  MSCHAP authentication.
	Auth-Type MS-CHAP {
		mschap
	}

	Auth-Type LDAP {
		LDAP
	}
	#
	#  If you have a Cisco SIP server authenticating against
	#  FreeRADIUS, uncomment the following line, and the 'digest'
	#  line in the 'authorize' section.
#	digest

	#
	#  Pluggable Authentication Modules.
#	pam

	#
	#  See 'man getpwent' for information on how the 'unix'
	#  module checks the users password.  Note that packets
	#  containing CHAP-Password attributes CANNOT be authenticated
	#  against /etc/passwd!  See the FAQ for details.
	#  
	unix

	# Uncomment it if you want to use ldap for authentication
	#
	# Note that this means "check plain-text password against
	# the ldap database", which means that EAP won't work,
	# as it does not supply a plain-text password.

	#
	#  Allow EAP authentication.
	eap

}

Users file

DEFAULT		Ldap-Group = Administrators, Auth-Type = LDAP
	Fall-through = yes

Thanks!

Ken George
Systems and Network Engineering
Mi Services Group, Inc.   
+1 610-230-2500 x129