On Thu, Feb 1, 2018, at 10:27 PM, Michael Sartain wrote:
On Thu, Feb 1, 2018, Nathan Ward wrote:
Usual expectation is that you show a radius debug with the packets being processed. The one you have pasted only shows the process starting up and config being parsed and such. You’ve sort of included some of that debug under (A) and (B) sections so you’ve definitely got it, but for some reason you haven’t posted it. If you could post the whole thing, people can likely help you more.
Apologies, entire "radiusd -X" output from radclient executions are below.
I get what's going on with everything except the part that I marked:
## Mike: where could this Login incorrect be coming from?
From what I can tell, group authorize was never called, so who/what/where is nacking this username?
Ok, figured it out. Synology has customized their version of radius. https://sourceforge.net/projects/dsgpl/files/Packages/DSM%205.2%20Package%20... rad_authenticate() in src/main/auth.c has an added call to CheckAuth(), which winds up doing this: // local only, ad only, ldap only, "ad + local" ad part if (0 > SYNOUserGet(szFullNameUser, ppUser)) { radlog(L_ERR, "Login incorrect: Incorrect user name (input name [%s], full name [%s])", szUserName, szFullNameUser); goto End; } I'm no expert on freeradius, but I'm pretty sure this could have been handled in a more standardized / transparent way. Oh, well. -Mike