<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Okay, so I think I’m getting closer. But I have a few challenges still. I am slowly learning how to parse the RADIUS –X debug output, now it’s a matter of knowing what to do with the information.</div>
<div> </div>
<div>I know that when I've setup Cacti servers or other Linux based servers that bind to LDAP, I've had problems with 2 different facets of the implementation. </div>
<div> </div>
<div>1. Domain Groups with spaces sometimes would or wouldn't work. (Is that the case with FreeRADIUS?) </div>
<div>2. Recursive searches were a problem. See below for how the basic Active Directory structure looks for us (Note the spaces in the names). For Cacti, I had to create a new OU, with a new Security Group that didn’t have spaces in it. That was the only
way I could get LDAP Binds to work for Group Authentication. (I find it hard to belive that’s the case with FreeRADIUS…I tend to lean more towards my bad configuration).</div>
<div> </div>
<div>DOMAIN.EXAMPLE.COM</div>
<div> ADMIN - Users</div>
<div> ADMIN - Groups</div>
<div> ADMIN - Servers</div>
<div> Computers</div>
<div> Users</div>
<div> Domain Controllers</div>
<div> Built-In</div>
<div> Etc..</div>
<div> </div>
<div>So, in that example, if I wanted to have a user be Authenticated who resides in “ADMIN – Users”, but the group is in “ADMIN – Groups”, does it matter to the RADIUS LDAP module?</div>
<div> </div>
<div> </div>
<div>Now, in /etc/raddb/modules/ldap , we would have the binding setup as follows. Note that the Base DN is the top level of the domain because it has to be able to recursively search all sub-OU's to find both users, and groups.</div>
<div> </div>
<div>**************************************</div>
<div><span style="background-color:lime;"><b>/etc/raddb/modules/ldap</b></span></div>
<div><font color="red"> </font></div>
<div><font color="#0070C0"><b> server = "172.16.5.200"</b></font></div>
<div><font color="#0070C0"><b> identity = "CN=Administrator,CN=Users,DC=</b><b>DOMAIN</b><b>,DC=</b><b>EXAMPLE</b><b>,DC=</b><b>COM</b><b>"</b></font></div>
<div><font color="#0070C0"><b> password = </b><b>MyPasswordForBIND</b></font></div>
<div><font color="#0070C0"><b> </b><span style="background-color:yellow;"><b>basedn = "DC=</b></span><span style="background-color:yellow;"><b>DOMAIN</b></span><span style="background-color:yellow;"><b>,DC=</b></span><span style="background-color:yellow;"><b>EXAMPLE</b></span><span style="background-color:yellow;"><b>,DC=</b></span><span style="background-color:yellow;"><b>COM</b></span><span style="background-color:yellow;"><b>"</b></span></font></div>
<div><font color="#0070C0"><b> filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"</b></font></div>
<div><font color="#0070C0"><b> #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"</b></font></div>
<div><font color="#0070C0"><b> #base_filter = "(objectclass=radiusprofile)"</b></font></div>
<div><font color="#0070C0"> </font></div>
<div><font color="#0070C0"><b> groupname_attribute = cn</b></font></div>
<div><font color="#0070C0"><b> groupmembership_filter = "(|(&(objectClass=group)(member=%Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))"</b></font></div>
<div><font color="#0070C0"><b> groupmembership_attribute = memberOf</b></font></div>
<div> </div>
<div>**************************************</div>
<div> </div>
<div> </div>
<div>NOTE: I am kind of lost here. I see so many people using so many different syntaxes that I’m not sure if I’m using the right one. At present, the “users” file is completely default except for the following lines I’ve added at the very top. So, no
matter what my LDAP output shows, If I uncomment the two lines for ntlm_auth, I can login with any Domain User regardless of the top 2 lines that say “Domain Admins”, and all others are rejected. So I’m thinking ultimately my problem is not just here, but
also with the LDAP bind taking place as you can see below. </div>
<div>**************************************</div>
<div><span style="background-color:lime;"><b>/etc/raddb/users</b></span><b> </b></div>
<div> </div>
<div><font color="#0070C0"><b>DEFAULT Ldap-Group == </b><b>"CN=Domain Admins,CN=ADMIN - Groups,DC=DOMAIN,DC=HOME,DC=COM"</b><b>, Auth-Type = ntlm_auth</b></font></div>
<div><font color="#0070C0"><b>DEFAULT Auth-Type = Reject</b></font></div>
<div><font color="red"> </font></div>
<div><font color="red"><b>#DEFAULT Auth-Type = ntlm_auth</b></font></div>
<div><font color="red"><b># Reply-Message = </b><b>“</b><b>You have been successfully authenticated! </b><b>“</b></font></div>
<div>**************************************</div>
<div> </div>
<div> </div>
<div> </div>
<div>Here’s the checklist of what I’ve done. </div>
<div> </div>
<ol style="margin:0;padding-left:36pt;">
<li> Added an entry simply as “ldap” under the “Instantiate” section in /etc/raddb/radiusd.conf</li><li>Added the LDAP information as shown above in /etc/raddb/modules/ldap</li><li>Configured ntlm_auth under /etc/raddb/modules/ntlm_auth</li><li>Configured the mschap module under /etc/raddb/modules/mschap</li><li>Added a list of clients who can authenticate in /etc/raddb/clients.conf</li><li>Added an entry to check against LDAP groups in /etc/raddb/users (I believe this is still a problem for me. I don’t think I have it configured properly. I think I need to visually see an example as it’s just not “clicking” with me for some reason.</li></ol>
<div> </div>
<div> </div>
<div> </div>
<div>Here’s the RADIUSD –X output from my last auth attempt.</div>
<div> </div>
<div>BEGIN RADIUS – X DEBUG OUTPUT</div>
<div>NOTE: I’ve changed all my domain information for this troubleshooting, and also highlighted anywhere it’s referenced. I’m hoping I’m</div>
<div>On the right track with what I’ve highlighted below as to where I believe the problem is.</div>
<div>####################################################################################################### </div>
<div>####################################################################################################### </div>
<div>####################################################################################################### </div>
<div>####################################################################################################### </div>
<div> </div>
<div>rad_recv: Access-Request packet from host 10.10.0.5 port 1645, id=72, length=73</div>
<div> User-Name = "<span style="background-color:lime;">USERNAMEHERE</span>"</div>
<div> User-Password = "<span style="background-color:lime;">PASSWORDOMMITTED</span>"</div>
<div> NAS-Port = 389</div>
<div> NAS-Port-Id = "tty389"</div>
<div> NAS-Port-Type = Virtual</div>
<div> NAS-IP-Address = 10.10.0.5</div>
<div># Executing section authorize from file /etc/raddb/sites-enabled/default</div>
<div>+- entering group authorize {...}</div>
<div>++[preprocess] returns ok</div>
<div>++[chap] returns noop</div>
<div>++[mschap] returns noop</div>
<div>++[digest] returns noop</div>
<div><span style="background-color:lime;">[suffix] No '@' in User-Name = "</span><span style="background-color:lime;">USERNAMEHERE</span><span style="background-color:lime;">", looking up realm NULL</span></div>
<div>[suffix] No such realm "NULL"</div>
<div>++[suffix] returns noop</div>
<div>[eap] No EAP-Message, not doing EAP</div>
<div>++[eap] returns noop</div>
<div> [ldap] Entering ldap_groupcmp()</div>
<div><span style="background-color:yellow;">[files] expand: DC=</span><span style="background-color:yellow;">domain</span><span style="background-color:yellow;">,DC=</span><span style="background-color:yellow;">example</span><span style="background-color:yellow;">,DC=</span><span style="background-color:yellow;">com</span><span style="background-color:yellow;">
-> DC=</span><span style="background-color:yellow;">domain</span><span style="background-color:yellow;">,DC=</span><span style="background-color:yellow;">example</span><span style="background-color:yellow;">,DC=</span><span style="background-color:yellow;">com</span></div>
<div>[files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details</div>
<div>[files] ... expanding second conditional</div>
<div><span style="background-color:lime;">[files] expand: %{User-Name} -></span><span style="background-color:lime;"> USERNAMEHERE</span></div>
<div><span style="background-color:lime;">[files] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=</span><span style="background-color:lime;">USERNAMEHERE</span><span style="background-color:lime;">))</span></div>
<div> [ldap] ldap_get_conn: Checking Id: 0</div>
<div> [ldap] ldap_get_conn: Got Id: 0</div>
<div> [ldap] attempting LDAP reconnection</div>
<div> [ldap] (re)connect to 172.16.5.200:389, authentication 0</div>
<div> <span style="background-color:yellow;">[ldap] bind as CN=Administrator,CN=Users,DC=</span><span style="background-color:yellow;">domain</span><span style="background-color:yellow;">,DC=</span><span style="background-color:yellow;">example</span><span style="background-color:yellow;">,DC=</span><span style="background-color:yellow;">com</span><span style="background-color:yellow;">/</span><span style="background-color:yellow;">ADMINPASSHERE</span><span style="background-color:yellow;">
to 172.16.5.200:</span>389</div>
<div> [ldap] waiting for bind result ...</div>
<div> [ldap] Bind was successful</div>
<div> <span style="background-color:yellow;">[ldap] performing search in DC=</span><span style="background-color:yellow;">domain</span><span style="background-color:yellow;">,DC=</span><span style="background-color:yellow;">example</span><span style="background-color:yellow;">,DC=</span><span style="background-color:yellow;">com</span><span style="background-color:yellow;">,
with filter (&(sAMAccountName=</span><span style="background-color:yellow;">USERNAMEHERE</span><span style="background-color:yellow;">))</span></div>
<div><span style="background-color:yellow;"> [ldap] rebind to URL ldap://DomainDnsZones.</span><span style="background-color:yellow;">domain</span><span style="background-color:yellow;">.</span><span style="background-color:yellow;">example</span><span style="background-color:yellow;">.com/DC=DomainDnsZones,DC=</span><span style="background-color:yellow;">domain</span><span style="background-color:yellow;">,DC=e</span><span style="background-color:yellow;">xample</span><span style="background-color:yellow;">,DC=com</span></div>
<div><span style="background-color:yellow;"> [ldap] rebind to URL ldap://ForestDnsZones.</span><span style="background-color:yellow;">domain</span><span style="background-color:yellow;">.</span><span style="background-color:yellow;">example</span><span style="background-color:yellow;">.com/DC=ForestDnsZones,DC=</span><span style="background-color:yellow;">domain</span><span style="background-color:yellow;">,DC=</span><span style="background-color:yellow;">example</span><span style="background-color:yellow;">,DC=com</span></div>
<div><span style="background-color:yellow;"> [ldap] rebind to URL ldap://</span><span style="background-color:yellow;">domain.example</span><span style="background-color:yellow;">.com/CN=Configuration,DC=</span><span style="background-color:yellow;">domain</span><span style="background-color:yellow;">,DC=e</span><span style="background-color:yellow;">xample</span><span style="background-color:yellow;">,DC=com</span></div>
<div> [ldap] ldap_release_conn: Release Id: 0</div>
<div>[files] expand: (|(&(objectClass=group)(member=%Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=group)(member=/var/log/radiusdap-UserDn}))(&(objectClass=top)(uniquemember=)))</div>
<div> [ldap] ldap_get_conn: Checking Id: 0</div>
<div> [ldap] ldap_get_conn: Got Id: 0</div>
<div><font color="red"><b> </b><span style="background-color:yellow;"><b>[ldap] performing search in CN=Domain Admins,CN=Users,DC=</b></span><span style="background-color:yellow;"><b>example</b></span><span style="background-color:yellow;"><b>,DC=</b></span><span style="background-color:yellow;"><b>domain</b></span><span style="background-color:yellow;"><b>,DC=com,
with filter (|(&(objectClass=group)(member=/var/log/radiusdap-UserDn}))(&(objectClass=top)(uniquemember=)))</b></span></font></div>
<div><font color="red"><span style="background-color:yellow;"><b> [ldap] object not found</b></span></font></div>
<div> [ldap] ldap_release_conn: Release Id: 0</div>
<div> [ldap] ldap_get_conn: Checking Id: 0</div>
<div> [ldap] ldap_get_conn: Got Id: 0</div>
<div> [ldap] performing search in CN=USER HERE,OU=Admin-Sec_Groups,DC=example,DC=domain,DC=com, with filter (objectclass=*)</div>
<div> [ldap] performing search in CN=SSHADMINS,OU=Security Groups,OU=ADMIN - Groups, DC=example,DC=domain,DC=com, with filter (cn=CN=Domain Admins,CN=Users,DC=example,DC=domain,DC=com)</div>
<div> [ldap] object not found</div>
<div> [ldap] performing search in CN=VPN Users,OU=Security Groups,OU=ADMIN - Groups, DC=example,DC=domain,DC=com, with filter (cn=CN=Domain Admins,CN=Users,DC=example,DC=domain,DC=com)</div>
<div> [ldap] object not found</div>
<div> [ldap] performing search in CN=Cacti_Users,OU=Admin-Sec_Groups,DC=example,DC=domain,DC=com, with filter (cn=CN=Domain Admins,CN=Users,DC=example,DC=domain,DC=com)</div>
<div> [ldap] object not found</div>
<div> [ldap] performing search in CN=HSP Admins,OU=ASP Security Groups,DC=example,DC=domain,DC=com, with filter (cn=CN=Domain Admins,CN=Users,DC=example,DC=domain,DC=com)</div>
<div> [ldap] object not found</div>
<div> [ldap] performing search in CN=LoginWeb,CN=Users,DC=example,DC=domain,DC=com, with filter (cn=CN=Domain Admins,CN=Users,DC=example,DC=domain,DC=com)</div>
<div> [ldap] object not found</div>
<div> [ldap] performing search in CN=SSO,OU=ASP Security Groups,DC=example,DC=domain,DC=com, with filter (cn=CN=Domain Admins,CN=Users,DC=example,DC=domain,DC=com)</div>
<div> [ldap] object not found</div>
<div> [ldap] performing search in CN=Schema Admins,CN=Users,DC=example,DC=domain,DC=com, with filter (cn=CN=Domain Admins,CN=Users,DC=example,DC=domain,DC=com)</div>
<div> [ldap] object not found</div>
<div> [ldap] performing search in CN=Enterprise Admins,CN=Users,DC=example,DC=domain,DC=com, with filter (cn=CN=Domain Admins,CN=Users,DC=example,DC=domain,DC=com)</div>
<div> [ldap] object not found</div>
<div> [ldap] performing search in CN=Domain Users,CN=Users,DC=example,DC=domain,DC=com, with filter (cn=CN=Domain Admins,CN=Users,DC=example,DC=domain,DC=com)</div>
<div> [ldap] object not found</div>
<div><font color="red"> </font></div>
<div>##########################################################################################</div>
<div><font color="red"><span style="background-color:yellow;"><b>Now this just isn’t true…Below, highlighted in green it says the username is authorized for remote access…</b></span></font></div>
<div><font color="red"> </font></div>
<div><font color="red"><span style="background-color:yellow;"><b>rlm_ldap::groupcmp: Group CN=Domain Admins,CN=Users,</b></span><span style="background-color:yellow;"><b> </b></span><span style="background-color:yellow;"><b>DC=</b></span><span style="background-color:yellow;"><b>example</b></span><span style="background-color:yellow;"><b>,DC=</b></span><span style="background-color:yellow;"><b>domain</b></span><span style="background-color:yellow;"><b>,DC=com
</b></span><span style="background-color:yellow;"><b>not found or user not a member</b></span></font></div>
<div><b>########################################################################################## </b></div>
<div><font color="red"> </font></div>
<div> </div>
<div> </div>
<div> [ldap] ldap_release_conn: Release Id: 0</div>
<div>++[files] returns noop</div>
<div><span style="background-color:lime;"><b>[ldap] performing user authorization for </b></span><span style="background-color:lime;"><b>USERNAMEHERE</b></span></div>
<div>[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details</div>
<div>[ldap] ... expanding second conditional</div>
<div><span style="background-color:lime;"><b>[ldap] expand: %{User-Name} -> </b></span><span style="background-color:lime;"><b>USERNAMEHERE</b></span></div>
<div><span style="background-color:lime;"><b>[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=</b></span><span style="background-color:lime;"><b>USERNAMEHERE</b></span><span style="background-color:lime;"><b>))</b></span></div>
<div><span style="background-color:yellow;"><b>[ldap] expand: </b></span><span style="background-color:yellow;"><b>DC=</b></span><span style="background-color:yellow;"><b>example</b></span><span style="background-color:yellow;"><b>,DC=</b></span><span style="background-color:yellow;"><b>domain</b></span><span style="background-color:yellow;"><b>,DC=com
</b></span><span style="background-color:yellow;"><b>-> </b></span><span style="background-color:yellow;"><b>DC=</b></span><span style="background-color:yellow;"><b>example</b></span><span style="background-color:yellow;"><b>,DC=</b></span><span style="background-color:yellow;"><b>domain</b></span><span style="background-color:yellow;"><b>,DC=com</b></span></div>
<div> [ldap] ldap_get_conn: Checking Id: 0</div>
<div> [ldap] ldap_get_conn: Got Id: 0</div>
<div><b> </b><span style="background-color:yellow;"><b>[ldap] performing search in </b></span><span style="background-color:yellow;"><b>DC=</b></span><span style="background-color:yellow;"><b>example</b></span><span style="background-color:yellow;"><b>,DC=</b></span><span style="background-color:yellow;"><b>domain</b></span><span style="background-color:yellow;"><b>,DC=com</b></span><span style="background-color:yellow;"><b>,
with filter (&(sAMAccountName=</b></span><span style="background-color:yellow;"><b>USERNAMEHERE</b></span><span style="background-color:yellow;"><b>))</b></span></div>
<div> [ldap] rebind to URL ldap://DomainDnsZones.domain.example.com/DC=DomainDnsZones,DC=example,DC=domain,DC=com</div>
<div> [ldap] rebind to URL ldap://ForestDnsZones.domain.example.com/DC=ForestDnsZones,DC=example,DC=domain,DC=com</div>
<div> [ldap] rebind to URL ldap://domain.example.com/CN=Configuration,DC=example,DC=domain,DC=com</div>
<div>[ldap] looking for check items in directory...</div>
<div>[ldap] looking for reply items in directory...</div>
<div><font color="red"><b><i>WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?</i></b></font></div>
<div><span style="background-color:lime;"><b>[ldap] user</b></span><span style="background-color:lime;"><b> USERNAMEHERE</b></span><span style="background-color:lime;"><b> authorized to use remote access</b></span></div>
<div> [ldap] ldap_release_conn: Release Id: 0</div>
<div>++[ldap] returns ok</div>
<div>++[expiration] returns noop</div>
<div>++[logintime] returns noop</div>
<div><b><i>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.</i></b></div>
<div>++[pap] returns noop</div>
<div><font color="red"> </font></div>
<div><b>################################################################### </b></div>
<div> </div>
<div><b>Is this what the actual problem is? Looks like it to me. I thought I addressed this with the line I put in /etc/raddb/users stating that the Auth-Type = ntlm_auth was good for Ldap-Group “Domain Admins</b><b>” Is my syntax wrong? </b></div>
<div> </div>
<div><font color="red"><span style="background-color:yellow;"><b><i>ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user</i></b></span></font></div>
<div><font color="red"><span style="background-color:yellow;"><b><i>Failed to authenticate the user.</i></b></span></font></div>
<div><font color="red"><span style="background-color:yellow;"><b><i>Using Post-Auth-Type Reject</i></b></span></font></div>
<div><font color="red"><span style="background-color:yellow;"><b><i># Executing group from file /etc/raddb/sites-enabled/default</i></b></span></font></div>
<div><font color="red"><span style="background-color:yellow;"><b><i>+- entering group REJECT {...}</i></b></span></font></div>
<div><b>####################################################################</b></div>
<div> </div>
<div><span style="background-color:lime;"><b>[attr_filter.access_reject] expand: %{User-Name} -></b></span><span style="background-color:lime;"><b>USERNAMEHERE</b></span></div>
<div> attr_filter: Matched entry DEFAULT at line 11 </div>
<div>++[attr_filter.access_reject] returns updated</div>
<div>Sending Access-Reject of id 72 to 10.10.0.5 port 1645</div>
<div>Finished request 0.</div>
<div>Going to the next request</div>
<div>Waking up in 4.9 seconds.</div>
<div>Cleaning up request 0 ID 72 with timestamp +10</div>
<div>Ready to process requests.</div>
<div> </div>
<div>####################################################################################################### </div>
<div>####################################################################################################### </div>
<div>####################################################################################################### </div>
<div>####################################################################################################### </div>
<div>END OF RADIUSD –X DEBUG OUTPUT</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>-----Original Message-----<br>
From: freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org [<a href="mailto:freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org">mailto:freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org</a>] On Behalf Of Julson,
Jim<br>
Sent: Saturday, June 23, 2012 7:44 AM<br>
To: FreeRadius users mailing list<br>
Subject: RE: Can't figure out Group Authentication</div>
<div> </div>
<div>Alan, </div>
<div> </div>
<div>That was about the most clear and concise description of the process I've found/heard to date. Thank you for taking the time to educate me. I will attempt to get this going today. I think I have everything that I need at this point. </div>
<div> </div>
<div>Have a good one. </div>
<div> </div>
<div>-----Original Message-----</div>
<div>From: <a href="mailto:freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org">freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org</a> <a href="mailto:[mailto:freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org]">[mailto:freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org]</a>
On Behalf Of Alan DeKok</div>
<div>Sent: Saturday, June 23, 2012 6:22 AM</div>
<div>To: FreeRadius users mailing list</div>
<div>Subject: Re: Can't figure out Group Authentication</div>
<div> </div>
<div>Julson, Jim wrote:</div>
<div>> Now, I then setup my Cisco router accordingly, and then did an SSH </div>
<div>> test to it using my AD Account. Voila! It worked great. _*/However, </div>
<div>> so did every other "Domain User" account in the environment. /*_ This </div>
<div>> goes back to me being so new to RADIUS and Linux where I don't feel </div>
<div>> like I'm fully grasping all of the directives within the configuration </div>
<div>> files, and exactly how they all tie together.</div>
<div> </div>
<div> Honestly, I don't remember much of that, either. When I configure the server, I usually go back and read the comments *I wrote* to figure out what to do.</div>
<div> </div>
<div> But for your issue, you told the server to "use AD to authenticate all users". So that's what it did.</div>
<div> </div>
<div>> *So, how do I lock down the SSH Authentication to an Active Directory </div>
<div>> Group of users, or individual users? * Remember, go easy on me. I'll </div>
<div>> provide whatever you need to help. I'm assuming you will ask for my </div>
<div>> RADIUSD -X output, so I've attached that as well.</div>
<div> </div>
<div>1) configure AD as an LDAP server. See raddb/modules/ldap</div>
<div> </div>
<div>2) add "ldap" to the "instantiate" section of radiusd.conf</div>
<div> There are references to "ldap" in "authorize" and "authentication"</div>
<div> You won't need those.</div>
<div> </div>
<div>3) Do group checking with LDAP-Group == "group name"</div>
<div> </div>
<div> See the FAQ for examples of rejecting users with a particular group.</div>
<div>The FAQ uses "Group", which is "Unix group from /etc/passwd". Just use LDAP-Group instead.</div>
<div> </div>
<div>> NOTE: One thing I don't understand is how in Alan DeKok's write up from</div>
<div>> the link above, he says don't use the "DEFAULT Auth-Type = ntlm_auth"</div>
<div>> in the "/etc/raddb/users" file, but yet that's one of the final steps </div>
<div>> to test in the write-up.</div>
<div> </div>
<div> It's an intermediate step. It's necessary only when you're forcing authentication back-ends.</div>
<div> </div>
<div>> Maybe it's because I am so new, but I've been through that document </div>
<div>> probably 30 times line by line, and yet every time I remove that </div>
<div>> entry, it breaks the Authentication.</div>
<div> </div>
<div> Yes. The server needs to now HOW to authenticate the users. The incoming RADIUS packet contains what KIND of authentication method.</div>
<div>PAP, CHAP, MS-CHAP, etc. So the server has no choice there.</div>
<div> </div>
<div> But where does it get the passwords from? Normally this is a DB. But AD isn't a DB (for various reasons). Instead, the "Auth-Type = ntlm_auth" reformats and *proxies* the authentication over the Samba protocol, using the ntlm_auth program.</div>
<div> </div>
<div> i.e. it hands off the MSCHAP stuff to ntlm_auth, and asks "is this correct?"</div>
<div> </div>
<div> If the server has passwords from a DB, it can just authenticate the user directly. If it doesn't have a password for that user, it has to hand off the authentication to someone else.</div>
<div> </div>
<div> Alan DeKok.</div>
<div>-</div>
<div>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></div>
<div>The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail
message in error, please notify the sender immediately by replying to this message and then delete it from your system.</div>
<div> </div>
<div>-</div>
<div>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></div>
<div> </div>
</span></font>
</body>
</html>
<pre>The information contained in this e-mail message may be confidential and
protected from disclosure. If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.