I would like to say thanks to the forum, my problem was solved<br> for information this is what I had to configure to get it all working<br> my only bit of concern was a warning message:<br> [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
but I'll check that out later.<br> Make sure everything else is working fine via your AD + ntlm_auth<br> <br><br><br><br><br>I added additional items to the ldap attributes file /etc/raddb/ldap.attrmap<br><br>ldap.attrmap-file amendments<br>
<br>#added Tunnel attributes 17-01-09<br>replyItem Tunnel-Medium-Type radiusTunnelMediumType<br>replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId<br>replyItem Tunnel-Type radiusTunnelType<br>
<br>#I added the Ldap-Group attribute to the top of my users file /etc/raddb/users<br>#I have two groups configured on my test AD, and will search both<br><br>DEFAULT Ldap-Group == "dmwc-m"<br> Tunnel-Medium-Type = IEEE-802,<br>
Tunnel-Private-Group-Id = videoNet,<br> Tunnel-type = VLAN<br><br>DEFAULT Ldap-Group == "dmwc-s"<br> Tunnel-Medium-Type = IEEE-802,<br>
Tunnel-Private-Group-Id = staff,<br> Tunnel-type = VLAN<br><br>## I have cisco kit so use the name of the vlan not it's vlan number##<br><br>## My amendements to /etc/raddb/modules/ldap<br>
<br><br>ldap {<br> #<br> # Note that this needs to match the name in the LDAP<br> # server certificate, if you're using ldaps.<br> server = "10.10.6.131"<br> #identity = "cn=admin,o=My Org,c=UA"<br>
identity = "cn=Administrator,cn=users,dc=MYDOMAIN,dc=co,dc=uk"<br> password = yourADpassword <br> basedn = "cn=users,dc=MYDOMAIN,dc=co,dc=uk"<br> filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"<br>
<br><br> <br> # Group membership checking. Disabled by default.<br><br> groupname_attribute = cn<br> # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"<br>
<b> ##My groupmembership differs from the example due to the way AD names it's objects##</b><br> groupmembership_filter = "(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))"<br>
##My groupmembership_attribute differs from the example due to the way AD names it's objects##<br> <b>##If you see my ldapsearch from the earlier post you'll know why##</b><br> # groupmembership_attribute = radiusGroupName<br>
groupmembership_attribute = memberOf <br><br><br> #ldap_debug = 0x0028 <br> #I wanted to see more detail from the ldap function so enabled debug##<br> ldap_debug = 0xFFFF <br> <br> }<br><br> I changed nothing else in this file, since I'm testing so not using LDAPS <br>
<br>## The only change in /etc/raddb/sites-enabled/default was uncomment the ldap section<br>## I left the authenticate section well alone, it stopped EAP when I started LDAP bit of it<br><br> authorize {<br> <br> chap<br>
mschap<br> eap {<br> ok = return<br> } <br><br> # I have users in a SQL database, don't want AD messing it up#<br> sql<br> if (ok) {<br> update control {<br>
MS-CHAP-Use-NTLM-Auth := No<br> }<br> }<br> <br># I uncommented the ldap section##<br> ldap<br> files<br> expiration<br> logintime <br> pap<br>
<br> }<br><br> <br>## The only change in /etc/raddb/sites-enabled/inner-tunnel was uncomment the ldap section<br> <br> authorize {<br> authorize {<br> <br> chap<br> mschap<br> update control {<br>
Proxy-To-Realm := LOCAL<br> }<br> <br> eap {<br> ok = return<br> }<br> <br> sql<br> if (ok) {<br> update control {<br> MS-CHAP-Use-NTLM-Auth :=No<br>
}<br> }<br> # I uncommented the ldap section##<br> ldap<br> # Read the 'users' file<br> files<br><br> expiration<br> logintime<br> pap<br> }<br> <br>
<br> <br> <br><br> This is an edited output from the radius debug<br><br><br> [ldap] performing user authorization for radman02<br>[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radman02))<br>[ldap] expand: cn=users,dc=crosstalk,dc=co,dc=uk -> cn=users,dc=crosstalk,dc=co,dc=uk<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>
rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in cn=users,dc=crosstalk,dc=co,dc=uk, with filter (&(sAMAccountName=radman02))<br>[ldap] No default NMAS login sequence<br>[ldap] looking for check items in directory...<br>
[ldap] looking for reply items in directory...<br>WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>[ldap] user radman02 authorized to use remote access<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>++[ldap] returns ok<br>rlm_ldap: Entering ldap_groupcmp()<br>[files] expand: cn=users,dc=crosstalk,dc=co,dc=uk -> cn=users,dc=crosstalk,dc=co,dc=uk<br>[files] expand: (|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=group)(member=))(&(objectClass=top)(<br>
uniquemember=)))<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in cn=users,dc=crosstalk,dc=co,dc=uk, with filter (&(cn=dmwc-m)(|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=))))<br>
rlm_ldap: object not found or got ambiguous search result<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in CN=radman02,CN=Users,DC=crosstalk,DC=co,DC=uk, with filter (objectclass=*)<br>
rlm_ldap: performing search in CN=DMWC-S,CN=Users,DC=crosstalk,DC=co,DC=uk, with filter (cn=dmwc-m)<br>rlm_ldap: object not found or got ambiguous search result<br>rlm_ldap::groupcmp: Group dmwc-m not found or user not a member<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>rlm_ldap: Entering ldap_groupcmp()<br>[files] expand: cn=users,dc=crosstalk,dc=co,dc=uk -> cn=users,dc=crosstalk,dc=co,dc=uk<br>[files] expand: (|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=group)(member=))(&(objectClass=top)(<br>
uniquemember=)))<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in cn=users,dc=crosstalk,dc=co,dc=uk, with filter (&(cn=dmwc-s)(|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=))))<br>
rlm_ldap: object not found or got ambiguous search result<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in CN=radman02,CN=Users,DC=crosstalk,DC=co,DC=uk, with filter (objectclass=*)<br>
rlm_ldap: performing search in CN=DMWC-S,CN=Users,DC=crosstalk,DC=co,DC=uk, with filter (cn=dmwc-s)<br>rlm_ldap::ldap_groupcmp: User found in group dmwc-s<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>[files] users: Matched entry DEFAULT at line 7<br>
++[files] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>
[eap] EAP/mschapv2<br>[eap] processing type mschapv2<br>[eap] Freeing handler<br>++[eap] returns ok<br>} # server inner-tunnel<br>[peap] Got tunneled reply code 2<br> Tunnel-Medium-Type:0 = IEEE-802<br> Tunnel-Private-Group-Id:0 = "staff"<br>
Tunnel-Type:0 = VLAN<br> EAP-Message = 0x030b0004<br> Message-Authenticator = 0x00000000000000000000000000000000<br> User-Name = "radman02"<br>[peap] Got tunneled reply RADIUS code 2<br>
Tunnel-Medium-Type:0 = IEEE-802<br> Tunnel-Private-Group-Id:0 = "staff"<br> Tunnel-Type:0 = VLAN<br> EAP-Message = 0x030b0004<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
User-Name = "radman02"<br>[peap] Tunneled authentication was successful.<br>[peap] SUCCESS<br>++[eap] returns handled<br>Sending Access-Challenge of id 149 to 10.10.3.29 port 1645<br> EAP-Message = 0x010c002b19001703010020728cf1296a7fbd29a4fbdd91f4eb91f41556edff389bd508e76784386de2a70a<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x1092235a199e3a66f6b5d4d498ec03a0<br>Finished request 10.<br>Going to the next request<br>Waking up in 4.6 seconds.<br>rad_recv: Access-Request packet from host 10.10.3.29 port 1645, id=150, length=222<br>
User-Name = "radman02"<br> Framed-MTU = 1400<br> Called-Station-Id = "0021.55ac.f2d2"<br> Calling-Station-Id = "0013.498d.a61f"<br> Service-Type = Login-User<br>
Message-Authenticator = 0xad3bca4d90af3e257cb1d6e093ce61b4<br> EAP-Message = 0x020c005019001703010020ed5d9b0cbdb88826957605ccde2fc1e9c6665da024547d82af4f555fafffad1c1703010020efd0be4bf53aa8c267d8f19e58f80f8bd907076fc9e236e910f4aff6b3<br>
4f3027<br> NAS-Port-Type = Wireless-802.11<br> NAS-Port = 4380<br> NAS-Port-Id = "4380"<br> State = 0x1092235a199e3a66f6b5d4d498ec03a0<br> NAS-IP-Address = 10.10.3.29<br> NAS-Identifier = "THEO"<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "radman02", looking up realm NULL<br>[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>[eap] EAP packet type response id 12 length 80<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>
[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7 <br>[peap] Done initial handshake<br>[peap] eaptls_process returned 7 <br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>
[peap] Received EAP-TLV response.<br>[peap] Success<br>[eap] Freeing handler<br>++[eap] returns ok<br>+- entering group post-auth {...}<br>[sql] expand: %{User-Name} -> radman02<br>[sql] sql_set_user escaped user --> 'radman02'<br>
[sql] expand: %{User-Password} -> <br>[sql] expand: %{Chap-Password} -> <br>[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', <br>
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (us<br>ername, pass, reply, authdate) VALUES ( 'radman02', '', 'Access-Accept', '<br>
2009-01-18 22:01:43')<br>rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( <br> 'radman02', '', 'Access-Accept', '2009-01-18 22:01:43')<br>
rlm_sql (sql): Reserving sql socket id: 2<br>rlm_sql (sql): Released sql socket id: 2<br>++[sql] returns ok<br>++[exec] returns noop<br>Sending Access-Accept of id 150 to 10.10.3.29 port 1645<br> MS-MPPE-Recv-Key = 0x5624be3ba66dd23cd25917c57661775be5c44b565056f613bed23f4c00734d99<br>
MS-MPPE-Send-Key = 0x6aed0e4c2a8dceafd68d6647931ec43eaa0b5ba7b9048c50b70702b86f9e6e59<br> EAP-Message = 0x030c0004<br> Message-Authenticator = 0x00000000000000000000000000000000<br> User-Name = "radman02"<br>
Finished request 11.<br>Going to the next request<br>Waking up in 4.6 seconds.<br>rad_recv: Accounting-Request packet from host 10.10.3.29 port 1646, id=31, length=223<br> Acct-Session-Id = "000010F0"<br>
Called-Station-Id = "0021.55ac.f2d2"<br> Calling-Station-Id = "0013.498d.a61f"<br> Cisco-AVPair = "ssid=metnet01"<br> Cisco-AVPair = "vlan-id=40"<br> Cisco-AVPair = "nas-location=unspecified"<br>
User-Name = "radman02"<br> Cisco-AVPair = "connect-progress=Call Up"<br> Acct-Authentic = RADIUS<br> Acct-Status-Type = Start<br> NAS-Port-Type = Wireless-802.11<br>
NAS-Port = 4380<br> NAS-Port-Id = "4380"<br> Service-Type = Framed-User<br> NAS-IP-Address = 10.10.3.29<br> Acct-Delay-Time = 0<br>+- entering group preacct {...}<br>++[preprocess] returns ok<br>
[acct_unique] Hashing 'NAS-Port = 4380,Client-IP-Address = 10.10.3.29,NAS-IP-Address = 10.10.3.29,Acct-Session-Id = "000010F0",User-Name = "radman02"'<br>[acct_unique] Acct-Unique-Session-ID = "bca4df300dada0d6".<br>
++[acct_unique] returns ok<br>[suffix] No '@' in User-Name = "radman02", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++[files] returns noop<br>+- entering group accounting {...}<br>
[detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/<a href="http://10.10.3.29/detail-20090118">10.10.3.29/detail-20090118</a><br>[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/<a href="http://10.10.3.29/detail-20090118">10.10.3.29/detail-20090118</a><br>
[detail] expand: %t -> Sun Jan 18 22:01:43 2009<br>++[detail] returns ok<br>++[unix] returns ok<br>[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp<br>[radutmp] expand: %{User-Name} -> radman02<br>
++[radutmp] returns ok<br>[sql] expand: %{User-Name} -> radman02<br>[sql] sql_set_user escaped user --> 'radman02'<br>[sql] expand: %{Acct-Delay-Time} -> 0<br>[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, <br>
nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutput<br>octets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acct<br>
stopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{<br>NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%<br>
{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', <br>rlm_sql (sql): Reserving sql socket id: 1<br>
rlm_sql (sql): Released sql socket id: 1<br>++[sql] returns ok<br>[attr_filter.accounting_response] expand: %{User-Name} -> radman02<br> attr_filter: Matched entry DEFAULT at line 12<br>++[attr_filter.accounting_response] returns updated<br>
Sending Accounting-Response of id 31 to 10.10.3.29 port 1646<br>Finished request 12.<br>Cleaning up request 12 ID 31 with timestamp +12<br>Going to the next request<br>Waking up in 4.5 seconds.<br>Cleaning up request 1 ID 140 with timestamp +12<br>
Cleaning up request 2 ID 141 with timestamp +12<br>Cleaning up request 3 ID 142 with timestamp +12<br>Cleaning up request 4 ID 143 with timestamp +12<br>Cleaning up request 5 ID 144 with timestamp +12<br>Waking up in 0.1 seconds.<br>
<br> <br><br> <br> <br><br><br><br><br><br> <br><br> <br><br><br> <br><br>