<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hi Everyone,<br><br>I'm new to freeRadius and I've been reading some of the mailing list e-mails. <br><br>I've got freeRadius with Cento 6 which is version 2.1.12 installed.<br><br>So I've followed the instructions for getting freeRadius working ntlm_auth with Windows 2012 Active Directory, based on the link below:<br><a href="http://deployingradius.com/documents/configuration/active_directory.html" target="_blank">http://deployingradius.com/documents/configuration/active_directory.html</a><br><br>Everything works great! <br><br>The only issue is now I need Dynamic Vlan working and I also need to look up mac address via from a mssql database to validate the user to allow access to the network. <br><br>After reading more about ntlm_auth, it will only respond to true or false and this method doesn't really help with want I want to accomplish.<br><br>What I need to do is based on what group the user belongs to, they are assigned to that specific vlan. i.e. if you are a staff you go to VLAN 7 and if you are a student you go to vlan 9.<br><br>Is there any How-To guide for setting up ldap for Active Directory just like the link above? <br><br>I've tried to setup the ldap module and I'm running into issues. <br><br>This is how my ldap config looks like:<br><br>ldap {<br> server = "xxx.xxx.xxx"<br> basedn = "dc=xxx,dc=xxx,dc=xxx"<br> filter = (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))<br> groupmembership_attribute = "Administrators"<br> ldap_connections_number = 5<br> timeout = 40<br> timelimit = 30<br> net_timeout = 10<br> tls {<br> start_tls = no<br> }<br> dictionary_mapping = ${confdir}/ldap.attrmap<br> edir_account_policy_check = no<br> groupname_attribute = cn<br> groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"<br> groupmembership_attribute = memberOf<br> chase_referrals = yes<br> rebind = yes<br> ldap_debug = 0x0028 <br> keepalive {<br> idle = 60<br> probes = 3<br> interval = 3<br> }<br>}<br><br><br>Here is my debug info, and I know it's not working, because I don't even see it trying to contact the radius server, which is why I'm asking if there is quick HowTo:<br>rad_recv: Access-Request packet from host 127.0.0.1 port 33583, id=125, length=74<br> User-Name = "xxxxxxx"<br> User-Password = "xxxxxxx"<br> NAS-IP-Address = xx.xx.xxxx<br> NAS-Port = 0<br> Message-Authenticator = 0x1c451a3ee1cd4caabec9e764c4006d2b<br># Executing section authorize from file /etc/raddb/sites-enabled/default<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[digest] returns noop<br>[suffix] No '@' in User-Name = "xxxxxx", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[files] returns noop<br>[sql] expand: %{User-Name} -> xxxx<br>[sql] sql_set_user escaped user --> 'xxxxxx'<br>rlm_sql (sql): Reserving sql socket id: 3<br>[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'username' ORDER BY id<br>[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'xxxxxx' ORDER BY priority<br>rlm_sql (sql): Released sql socket id: 3<br>[sql] User username not found<br>++[sql] returns notfound<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user<br>Failed to authenticate the user.<br>Using Post-Auth-Type Reject<br># Executing group from file /etc/raddb/sites-enabled/default<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> xxxxx<br>attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Delaying reject of request 1 for 1 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 1<br>Sending Access-Reject of id 125 to 127.0.0.1 port 33583<br>Waking up in 4.9 seconds.<br>Cleaning up request 1 ID 125 with timestamp +2007<br>Ready to process requests.<br><br><br>Someone also posted that they can get ntlm_auth working with groups and you need to chat the stuff around? It would be great if someone can provide a how on this to work with dynamic vlan. <br><br>Any help would be greatly appreciated. <br><br>Thanks<br> </div></body>
</html>