Help Needed !!! FreeRADIUS Integration with MS AD

Pradyumna neomatrixgem at gmail.com
Mon Jan 28 10:40:14 CET 2013


Hi,

Am not able to see my authorization happening because I don't see the value-attr or reply message. Please help. Logs attached.
rad_recv: Access-Request packet from host 192.168.0.2 port 39662, id=92, length=62
        User-Name = "radiustest"
        User-Password = "password at 123"
        NAS-IP-Address = 192.168.0.2
        NAS-Port = 1812
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.0.2/auth-detail-20130128
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.2/auth-detail-20130128
[auth_log]      expand: %t -> Mon Jan 28 10:12:16 2013
++[auth_log] returns ok
[ldap] performing user authorization for radiustest
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> radiustest
[ldap]  expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radiustest))
[ldap]  expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=users,dc=example,dc=com, with filter (&(sAMAccountName=radiustest))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = ldap
[ldap] user radiustest authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "radiustest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ldap] performing user authorization for radiustest
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> radiustest
[ldap]  expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radiustest))
[ldap]  expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=users,dc=example,dc=com, with filter (&(sAMAccountName=radiustest))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user radiustest authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ldap
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "radiustest" with password "password at 123"
[ldap] user DN: CN=radiustest,CN=Users,DC=example,DC=com
  [ldap] (re)connect to 192.168.0.3:389, authentication 1
  [ldap] bind as CN=radiustest,CN=Users,DC=example,DC=com/password at 123 to 192.168.0.3:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user radiustest authenticated succesfully
++[ldap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 92 to 192.168.0.2 port 39662
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 92 with timestamp +88
Ready to process requests.

Regards,
/Neo
Sent from my iPhone

On 25-Jan-2013, at 3:32 AM, A.L.M.Buxey at lboro.ac.uk wrote:

> Hi,
> 
>>   Do you mean the below in the "users" file?
>> 
>>   cisco Auth-Type := LDAP
>> 
>>   Service-Type = Administrative-User,
>>   cisco-avpair = "shell:priv-lvl=15"
> 
> no.
> 
> cisco Auth-Type := LDAP
>    Service-Type = Administrative-User,
>    cisco-avpair = "shell:priv-lvl=15"
> 
> 
> (see all the examples in the users file)
> 
> alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130128/a6a02077/attachment-0001.html>


More information about the Freeradius-Users mailing list