Hi all,<br><br><br>I have my freeradius deploy (2.0.2) configured to authenticate users against Active Directory and that is working fine. But I want to retrieve user's profile from Active Directory, to add VLAN ID (Tunel-Private-Group-ID) to Access-Accept reply.<br>
<br>I really don't know how to do this and I could find a clear solution, either in documentation (rlm_ldap) ot by googling. So I would appreciate if someone could give me a hand on this.<br><br>What I've done so far is to add this entry to ldap.attrmap file: "replyItem radiusProfileDn memberOf". The profile I want to retrieve is the CN in this object like "cn=PROFILE,dc=domain,dc=com", but in radius debug I'm getting this error:<br>
<br><br>++[ntdomain] returns noop<br>rlm_ldap: - authorize<br>rlm_ldap: performing user authorization for figo<br> expand: %{Stripped-User-Name} -> figo<br> expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) -> (sAMAccountName=figo)<br>
expand: dc=ldaptest,dc=pt -> dc=ldaptest,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in dc=ldaptest,dc=com, with filter (sAMAccountName=figo)<br>
rlm_ldap: looking for check items in directory...<br>rlm_ldap: looking for reply items in directory...<br>rlm_ldap: Failed to create the pair: Invalid octet string "CN=grupo1,DC=ldaptest,DC=com" for attribute name "radiusProfileDn"<br>
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>rlm_ldap: user figo authorized to use remote access<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>++[ldap] returns ok<br>
rlm_eap: EAP packet type response id 8 length 80<br> rlm_eap: Continuing tunnel setup.<br>++[eap] returns ok<br>++[mschap] returns noop<br> expand: %{Stripped-User-Name} -> figo<br> expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -> figo<br>
++[files] returns noop<br> rad_check_password: Found Auth-Type EAP<br>auth: type "EAP"<br>+- entering group authenticate<br> rlm_eap: Request found, released from the list<br> rlm_eap: EAP/peap<br> rlm_eap: processing type peap<br>
rlm_eap_peap: Authenticate<br> rlm_eap_tls: processing TLS<br> eaptls_verify returned 7 <br> rlm_eap_tls: Done initial handshake<br> eaptls_process returned 7 <br> rlm_eap_peap: EAPTLS_OK<br> rlm_eap_peap: Session established. Decoding tunneled attributes.<br>
rlm_eap_peap: Received EAP-TLV response.<br> rlm_eap_peap: Success<br> Using saved attributes from the original Access-Accept<br> rlm_eap: Freeing handler<br>++[eap] returns ok<br>Login OK: [<a href="http://LDAPTEST.COM">LDAPTEST.COM</a>\\figo/<via Auth-Type = EAP>] (from client portatil port 0 cli 02-00-00-00-00-01)<br>
Sending Access-Accept of id 17 to <a href="http://192.168.10.200">192.168.10.200</a> port 33000<br> User-Name = "figo"<br> MS-MPPE-Recv-Key = 0x69e42b94d9070d50bf16c6f70d904c94799f99dc1aeb8f2c7485968674c5cad5<br>
MS-MPPE-Send-Key = 0xa67fc2e54c9ec96e583225bb123ed223e55846230bbdb26eeb6bb0b16bd5c57d<br> EAP-Message = 0x03080004<br> Message-Authenticator = 0x00000000000000000000000000000000<br><br><br><br>Is this the way I to achieve or I want or am I completely wrong? <br>
<br>Thnx,<br><br><br><br>Nelson Vale<br><br>