Cisco to FreeRadius to AD-LDAP authentication

Dickson, John JDickson2 at mccneb.edu
Mon Jan 9 23:14:10 CET 2006 

I have tried and nearly completely succeeded in authentication and
authorization. The user is identified in LDAP just not provided access
(rad_recv: Access-Reject packet from host 10.1.1.27:1812, id=121,
length=20).
 
Another issue I have is with the user login. In Windowz, a new user is
created by providing the First name, middle initial and last name which
is not their "User logon name". These credentials are distributed within
AD-LDAP in the "CN=" fields using spaces to break the name. If this is
not exactly how the  "User logon name" is installed then radius request
rejects authentication. An example would be:
 
User Tom Thumb
Logon tthumb
CN=Tom Thumb
sAMAccountName=radtest
 
So when a request of the database occurrs using ldap lookup with
"cn=tthumb" it fails and I do not know if there is another way around
this but using sAMAccountName doesn't work either.
 
I am hopeful that I am missing something.
 
My question is, how do I get an "Accept" from the request and is there a
way around the basedn naming conventions that will alllow FreeRadius to
work with Windowz?
 
Below is user "testing" with a logon of "testing".
 
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testing
radius_xlat:  '(cn=testing)'
radius_xlat:  'ou=xxxx0,dc=xxxx1,dc=xxxx2,dc=EDU'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to xxxx1.xxxx2.EDU:389, authentication 0
rlm_ldap: bind as superuser at xxxx1.xxxx2.edu/password
<mailto:superuser at xxxx1.xxxx2.edu/password>  to xxxx1.xxxx2.EDU:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=xxxx0,dc=xxxx1,dc=xxxx2,dc=EDU, with
filter (cn=testing)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testing authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  modcall[authenticate]: module "unix" returns notfound for request 0
modcall: group authenticate returns notfound for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 10.1.1.27:32803, id=121,
length=59
Sending Access-Reject of id 121 to 10.1.1.27:32803
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 121 with timestamp 43c2d99f
Nothing to do.  Sleeping until we see a request.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060109/fddbf339/attachment.html>

More information about the Freeradius-Users mailing list