Get AD Profile

Nelson Vale nelsonduvall at gmail.com
Sat Jul 12 22:58:03 CEST 2008


Hi all,


I have my freeradius deploy (2.0.2) configured to authenticate users against
Active Directory and that is working fine. But I want to retrieve user's
profile from Active Directory, to add VLAN ID (Tunel-Private-Group-ID) to
Access-Accept reply.

I really don't know how to do this and I could find a clear solution, either
in documentation (rlm_ldap) ot by googling. So I would appreciate if someone
could give me a hand on this.

What I've done so far is to add this entry to ldap.attrmap file: "replyItem
radiusProfileDn memberOf". The profile I want to retrieve is the CN in this
object like "cn=PROFILE,dc=domain,dc=com", but in radius debug I'm getting
this error:


++[ntdomain] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for figo
        expand: %{Stripped-User-Name} -> figo
        expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) ->
(sAMAccountName=figo)
        expand: dc=ldaptest,dc=pt -> dc=ldaptest,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldaptest,dc=com, with filter
(sAMAccountName=figo)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Failed to create the pair: Invalid octet string
"CN=grupo1,DC=ldaptest,DC=com" for attribute name "radiusProfileDn"
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
rlm_ldap: user figo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
  rlm_eap: EAP packet type response id 8 length 80
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[mschap] returns noop
        expand: %{Stripped-User-Name} -> figo
        expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -> figo
++[files] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Success
  Using saved attributes from the original Access-Accept
  rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [LDAPTEST.COM\\figo/<via Auth-Type = EAP>] (from client portatil
port 0 cli 02-00-00-00-00-01)
Sending Access-Accept of id 17 to 192.168.10.200 port 33000
        User-Name = "figo"
        MS-MPPE-Recv-Key =
0x69e42b94d9070d50bf16c6f70d904c94799f99dc1aeb8f2c7485968674c5cad5
        MS-MPPE-Send-Key =
0xa67fc2e54c9ec96e583225bb123ed223e55846230bbdb26eeb6bb0b16bd5c57d
        EAP-Message = 0x03080004
        Message-Authenticator = 0x00000000000000000000000000000000



Is this the way I to achieve or I want or am I completely  wrong?

Thnx,



Nelson Vale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080712/73840b85/attachment.html>


More information about the Freeradius-Users mailing list