FreeRADIUS & AD LAP Communication

Russell Mike radius.sir at gmail.com
Wed Nov 20 18:01:03 CET 2013


Dear Good Peoples Greetings

Version Information: FreeRADIUS 2.2.0.

Question: What does the following means? Is it not authentication area in
"default" virtual server? i have listed "ldap" there.

1.) rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed
in the "authenticate" section.


2.) i have one Linux open-ldap server, FreeRADIUS Auth works from that LDAP
server, with following configuration. Please note, the passport storage in
destination Linux LDAP Server is cleartext. i do check using the following
command.

* radtest mike aabb88@ localhost 1812 HYbbunINFDR$88 *

# CentOS Open-ldap Server

        server = "ldapserver-mydomain.net<http://ldap.digital-infotech.net/>
"

        identity = "cn=Administrator,dc=ldap-mydomain,dc=net"

        password = "password"

        basedn = "dc=mydomain,dc=net"

        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

        base_filter = "(objectclass=radiusprofile)"



i receive, access Accept !!! - NO problem


3.) When i do user query from FreeRADIUS to Windows Domain Controller
Server 2012 x64.

# Windows Domain Controller Server 2012 64-Bit AD

        server = "ldap-mydomain.com <http://ldap-teledataict.com/>"

        identity = "cn=Administrator,cn=Users,dc=ldap-mydomain,dc=com"

        password = "password"

        basedn = "dc=ldap-mydomain,dc=com"


# Enable One Filter Only

        #filter = "(SamAccountName=%u)"

         filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"



3a) Following is the out-put with REJECT access, Perhaps because password
storage in AD is not clear text, is it due to that? Perhaps it cannot be
tested with redtest?  i am using the following to test, is it correct test

* radtest mike aabb88@ localhost 1812 HYbbunINFDR$88*

4.) rad_recv: Access-Request packet from host 127.0.0.1 port 46861, id=137,
length=75

        User-Name = "mike"

        User-Password = "aabb88@"

        NAS-IP-Address = 14.14.14.14

        NAS-Port = 1812

        Message-Authenticator = 0x4a3417dcf9e80de96f2274fbfa6f5c4d

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[digest] returns noop

[suffix] No '@' in User-Name = "mike", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

[ldap] performing user authorization for mike

[ldap]  expand: (SamAccountName=%u) -> (SamAccountName=mike)

[ldap]  expand: dc=ldap-teledataict,dc=com -> dc=ldap-teledataict,dc=com

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] attempting LDAP reconnection

  [ldap] (re)connect to
ldap-mydomain.net:389<http://ldap-teledataict.com:389/>,
authentication 0

  [ldap] bind as
cn=Administrator,cn=Users,dc=ldap-teledataict,dc=com/rootadmin to
ldap-mydomain.net:389 <http://ldap-teledataict.com:389/>

  [ldap] waiting for bind result ...

  [ldap] Bind was successful

  [ldap] performing search in dc=ldap-teledataict,dc=com, with filter
(SamAccountName=mike)

[ldap] No default NMAS login sequence

[ldap] looking for check items in directory...

[ldap] looking for reply items in directory...

WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?

[ldap] user mike authorized to use remote access

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns ok

rlm_sqlcounter: Entering module authorize code

rlm_sqlcounter: Could not find Check item value pair

++[dailycounter] returns noop

rlm_sqlcounter: Entering module authorize code

rlm_sqlcounter: Could not find Check item value pair

++[forevertimecounter] returns noop

++[expiration] returns noop

++[logintime] returns noop

rlm_sqlcounter: Entering module authorize code

rlm_sqlcounter: Could not find Check item value pair

++[gigawordcounter] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user

Failed to authenticate the user.

Using Post-Auth-Type REJECT

# Executing group from file /etc/freeradius/sites-enabled/auth_all

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> mike

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 0 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 0

Sending Access-Reject of id 137 to 127.0.0.1 port 46861

Waking up in 4.9 seconds.

Cleaning up request 0 ID 137 with timestamp +3

Ready to process requests.

Thanks / Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131120/9b501571/attachment-0001.html>


More information about the Freeradius-Users mailing list