Hi, <br>
<br>
Same thing has happened, I still can not authenticate to WindowsAD. Same Error is displayed when i debug radiusd.... <br>
<br>
I put quotes arround password..<br>
<br>
radtest user 'mypass' <a href="http://192.168.1.1:1812">192.168.1.1:1812</a> 1812 testing123<br>
or<br>
radtest user 'mypass' <a href="http://192.168.1.1:1812">192.168.1.1:1812</a> 1812 testing123<br><br><div><span class="gmail_quote"><br>
What do you think is the problem?<br>
<br>
On 12/16/05, <b class="gmail_sendername">Alhagie Puye</b> <<a href="mailto:APuye@datawave.com">APuye@datawave.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div align="left" dir="ltr"><span><font color="#0000ff" face="Arial" size="2">Put quotes around the password....one thing I learned. That
will take you further.</font></span></div>
<div align="left" dir="ltr"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div align="left" dir="ltr"><span><font color="#0000ff" face="Arial" size="2">I have a working config. So, please let me know if you are
still running into problems.</font></span></div>
<div align="left" dir="ltr"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div align="left" dir="ltr"><span><font color="#0000ff" face="Arial" size="2">P.S.</font></span></div>
<div align="left" dir="ltr"><span><font color="#0000ff" face="Arial" size="2">I will be posting a doc on the wiki once I'm done with
testing.</font></span></div>
<div> </div>
<p><font size="2">Alhagie Puye - Network Engineer<br>Datawave Group of
Companies<br>(604)295-1817 </font></p>
<div> </div><br>
<blockquote style="border-left: 2px solid rgb(0, 0, 255); padding-left: 5px; margin-left: 5px; margin-right: 0px;">
<div align="left" dir="ltr" lang="en-us">
<hr>
<font face="Tahoma" size="2"><b>From:</b>
<a href="mailto:freeradius-users-bounces@lists.freeradius.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">freeradius-users-bounces@lists.freeradius.org</a>
[mailto:<a href="mailto:freeradius-users-bounces@lists.freeradius.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">freeradius-users-bounces@lists.freeradius.org</a>] <b>On Behalf Of
</b>Michael Calizo<br><b>Sent:</b> December 15, 2005 8:26 PM<br><b>To:</b>
<a href="mailto:Freeradius-Users@lists.freeradius.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Freeradius-Users@lists.freeradius.org</a><br><b>Subject:</b> FreeRadius cannot
Authenticate to Windows AD<br></font><br></div><div><span class="e" id="q_108322fa3d58d97c_1">
<div></div>Hi Guru's,<br><br><br>I have installed freeradius and used each
LDAP module to authenticate to WINDOWS 2003 AD. The problem is it cant do the
authentication, seems that i missed the radius.conf LDAP module configuration
which causes the LDAP module to failed when connecting to MSAD.
Below is my radius.conf config file.<br><br><br>Hoping that you guys can help
me, coz i have been googling all day for this config and i can not make this
thing work... Thnx in advance.. <br><br>radius.conf:<br><br>ldap
{<br>
server = "<a href="http://oberon.chikka.ph" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">oberon.chikka.ph</a>"<br>
# identity = "cn=admin,o=My
Org,c=UA"<br>
identity =
"cn=backops,cn=Admin,dc=chikka,dc=ph"<br>
password =
_bant@3a-@n<br>
# password =
mypass<br>
basedn =
"dc=chikka,dc=ph"<br>
# filter =
"(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"<br>
#filter =
"(SamAccountName=%U)"<br>
#filter =
"(SamAccountName=%u)"<br>
# base_filter =
"(objectclass=radiusprofile)"<br>
base_filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=Admin,DC=chikka,DC=ph))"<br>
filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"<br><br>
# set this to 'yes' to use TLS encrypted
connections<br>
# to the LDAP database by using the StartTLS
extended<br>
#
operation.<br>
# The StartTLS operation is supposed to be used with
normal<br>
# ldap connections instead of using ldaps (port 689)
connections<br>
start_tls =
no<br><br>
# tls_cacertfile =
/path/to/cacert.pem<br>
# tls_cacertdir =
/path/to/ca/dir/<br>
# tls_certfile =
/path/to/radius.crt<br>
# tls_keyfile =
/path/to/radius.key<br>
# tls_randfile =
/path/to/rnd<br>
# tls_require_cert =
"demand"<br><br>
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"<br>
# profile_attribute =
"radiusProfileDn"<br>
access_attr = "dialupAccess"<br><br>ictionary_mapping =
${raddbdir}/ldap.attrmap<br><br>
ldap_connections_number =
5<br><br>
#<br>
# NOTICE: The password_header directive is NOT case
insensitive<br>
#<br>
# password_header =
"{clear}"<br>
#<br>
# The server can usually figure this out on its own, and
pull<br>
# the correct User-Password or NT-Password from the
database.<br>
#<br>
# Note that NT-Passwords MUST be stored as a 32-digit
hex<br>
# string, and MUST start off with "0x", such
as:<br>
#<br>
#
0x000102030405060708090a0b0c0d0e0f<br>
#<br>
# Without the leading "0x", NT-Passwords will not
work.<br>
# This goes for NT-Passwords stored in SQL,
too.<br>
#<br>
# password_attribute =
userPassword<br>
groupname_attribute =
cn<br>
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"<br>
groupmembership_attribute =
memberOf<br>
timeout =
4<br>
timelimit =
3<br>
net_timeout =
1<br>
# compare_check_items =
yes<br>
# do_xlat =
yes<br>
# access_attr_used_for_allow =
yes<br> }<br><br><br>Here is my the
radiusd -X -A LOG...<br><br>rad_recv: Access-Request packet from host <a href="http://192.168.1.13:37146" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.1.13:37146</a>, id=42,
length=59<br> User-Name =
"myaccount"<br> User-Password =
"mypass"<br> NAS-IP-Address = <a href="http://255.255.255.255" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.255</a><br>
NAS-Port = 1812<br> Processing the authorize section of
radiusd.conf<br>modcall: entering group authorize for request 0<br>
modcall[authorize]: module "preprocess" returns ok for request 0<br>
modcall[authorize]: module "chap" returns noop for request 0<br>
modcall[authorize]: module "mschap" returns noop for request
0<br> rlm_realm: No '@' in User-Name = "myaccount", looking
up realm NULL<br> rlm_realm: No such realm "NULL"<br>
modcall[authorize]: module "suffix" returns noop for request 0<br>
rlm_eap: No EAP-Message, not doing EAP<br> modcall[authorize]: module
"eap" returns noop for request 0<br> users: Matched DEFAULT
at 152<br> modcall[authorize]: module "files" returns ok for request
0<br>modcall: group authorize returns ok for request 0<br>
rad_check_password: Found Auth-Type ldap<br>auth: type "LDAP"<br>
Processing the authenticate section of radiusd.conf<br>modcall: entering group
Auth-Type for request 0<br>rlm_ldap: - authenticate<br>rlm_ldap: login attempt
by "myaccount" with password "mypass"<br>radius_xlat:
'(&(sAMAccountName=myaccount)'<br>radius_xlat:
'dc=domain,dc=com'<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap:
ldap_get_conn: Got Id: 0<br>rlm_ldap: attempting LDAP
reconnection<br>rlm_ldap: (re)connect to <a href="http://192.168.1.1:389" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.1.1:389</a>, authentication
0<br>rlm_ldap: bind as cn=backops,cn=Admin,dc=domain,dc=com/passofbackops to
<a href="http://192.168.1.1:389" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.1.1:389</a><br>rlm_ldap: waiting for
bind result ...<br>rlm_ldap: LDAP login failed: check identity, password
settings in ldap section of radiusd.conf<br>rlm_ldap: (re)connection attempt
failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>
modcall[authenticate]: module "ldap" returns fail for request 0<br>modcall:
group Auth-Type returns fail for request 0<br>auth: Failed to validate the
user.<br>Delaying request 0 for 1 seconds<br>Finished request 0<br>Going to
the next request<br>--- Walking the entire request list ---<br>Waking up in 1
seconds...<br>--- Walking the entire request list ---<br>Sending Access-Reject
of id 42 to <a href="http://192.168.1.13:37146" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.1.13:37146</a><br>Waking up in 4
seconds...<br>--- Walking the entire request list ---<br>Cleaning up request 0
ID 42 with timestamp 43a23bb5<br>Nothing to do. Sleeping until we see a
request.<br><br clear="all"><br>-- <br>Mike Calizo<br>Registered Linux User #
365113<br><br>_________________________________________________<br>Even the
longest journey has to start with a small
first-step<br>
</span></div></blockquote><p></p>This message (including any
attachments) is confidential, may be privileged and is only intended
for the person to whom it is addressed. If you have received it by
mistake please notify the sender by return e-mail and delete this
message from your system. Any unauthorized use or dissemination of this
message in whole or in part is strictly prohibited. E-mail
communications are inherently vulnerable to interception by
unauthorized parties and are susceptible to change. We will use
alternate communication means upon request.
<br>-<br>List info/subscribe/unsubscribe? See <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br><br>
</blockquote></div><br><br clear="all"><br>-- <br>Mike Calizo<br>Registered Linux User # 365113<br><br>_________________________________________________<br>Even the longest journey has to start with a small first-step<br>