I found how to run Radius in debug mode in pfsense. I have made some changes in the config files also. This are the key settings: server = "jetsms-srv2003.jetdom.local" port = "389" identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" password = Tramontane10520 basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" groupmembership_attribute = * compare_check_items = yes do_xlat = yes access_attr_used_for_allow = yes ### MS Active Directory Compatibility is disabled ### In case you are wandering why I have "*" in base_filter and groupmembership_attribute, is an attempt for Radius to ignore this settings, otherwise the pfsense default will have set it to the default which I think do not match with my AD settings. On the wiki, this parameters are empty, thus ignored. I think am closer but still fails. By the way I tried setting compare_check_items = no, but this makes the Ldap_Group setting to be ignored, all users get Auth-Type = Accept THIS IS THE DEBUG OUTPUT: radiusd: FreeRADIUS Version 2.2.5, for host i386-portbld-freebsd8.3, built on Sep 29 2014 at 22:08:50 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /usr/pbi/freeradius-i386/etc/raddb/radiusd.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/clients.conf including files in directory /usr/pbi/freeradius-i386/etc/raddb/modules/ including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/wimax including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/always including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_rewrite including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cache including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/chap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/checkval including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/counter including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cui including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/detail including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ detail.example.com including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/detail.log including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/dhcp_sqlippool including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/digest including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/dynamic_clients including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/echo including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/etc_group including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/exec including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expiration including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expr including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/files including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/inner-eap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ippool including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/krb5 including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/linelog including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/otp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/logintime including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mac2ip including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mac2vlan including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mschap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ntlm_auth including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/opendirectory including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pam including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/passwd including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/perl including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/policy including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/preprocess including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/radrelay including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/radutmp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/realm including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/redis including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/rediswho including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/replicate including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/smbpasswd including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/smsotp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/soh including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sql_log including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sradutmp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/unix including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/motp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct including configuration file /usr/pbi/freeradius-i386/etc/raddb/eap.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/policy.conf including files in directory /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/ including configuration file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default main { allow_core_dumps = yes } Core dumps are enabled. including dictionary file /usr/pbi/freeradius-i386/etc/raddb/dictionary main { name = "radiusd" prefix = "/usr/pbi/freeradius-i386" localstatedir = "/var" sbindir = "/usr/pbi/freeradius-i386/sbin" logdir = "/var/log" run_dir = "/var/run" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/pbi/freeradius-i386/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no msg_badpass = "" msg_goodpass = "" } security { max_attributes = 200 reject_delay = 1 status_server = no allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client squid { ipaddr = 192.168.56.1 require_message_authenticator = no secret = "squid4030" shortname = "squid" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/pbi/freeradius-i386/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/pbi/freeradius-i386/etc/raddb/modules/expr Module: Linked to module rlm_counter Module: Instantiating module "daily" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter daily { filename = "/var/log/radacct/timecounter/db.daily" key = "User-Name" reset = "daily" count-attribute = "Acct-Session-Time" counter-name = "Daily-Session-Time" check-name = "Max-Daily-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Daily-Session-Time is number 11273 rlm_counter: Current Time: 1427396809 [2015-03-26 15:06:49], Next reset 1427428800 [2015-03-27 00:00:00] Module: Instantiating module "weekly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter weekly { filename = "/var/log/radacct/timecounter/db.weekly" key = "User-Name" reset = "weekly" count-attribute = "Acct-Session-Time" counter-name = "Weekly-Session-Time" check-name = "Max-Weekly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Weekly-Session-Time is number 11275 rlm_counter: Current Time: 1427396809 [2015-03-26 15:06:49], Next reset 1427601600 [2015-03-29 00:00:00] Module: Instantiating module "monthly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter monthly { filename = "/var/log/radacct/timecounter/db.monthly" key = "User-Name" reset = "monthly" count-attribute = "Acct-Session-Time" counter-name = "Monthly-Session-Time" check-name = "Max-Monthly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Monthly-Session-Time is number 11277 rlm_counter: Current Time: 1427396809 [2015-03-26 15:06:49], Next reset 1427860800 [2015-04-01 00:00:00] Module: Instantiating module "forever" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter forever { filename = "/var/log/radacct/timecounter/db.forever" key = "User-Name" reset = "never" count-attribute = "Acct-Session-Time" counter-name = "Forever-Session-Time" check-name = "Max-Forever-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Forever-Session-Time is number 11279 rlm_counter: Current Time: 1427396809 [2015-03-26 15:06:49], Next reset 0 [2015-03-26 15:00:00] Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/pbi/freeradius-i386/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/pbi/freeradius-i386/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file ?�(rlm_logintime modules { Module: Creating Auth-Type = MOTP Module: Creating Auth-Type = digest Module: Creating Auth-Type = LDAP Module: Creating Autz-Type = Status-Server Module: Creating Acct-Type = Status-Server Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes allow_retry = yes } Module: Instantiating module "motp" from file /usr/pbi/freeradius-i386/etc/raddb/modules/motp exec motp { wait = yes program = " /usr/pbi/freeradius-i386/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/pbi/freeradius-i386/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/pbi/freeradius-i386/etc/raddb/modules/unix unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap ldap { server = "jetsms-srv2003.jetdom.local" port = 389 password = "Tramontane10520" expect_password = yes identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no cacertfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem" cacertdir = "/usr/pbi/freeradius-i386/etc/raddb/certs/" certfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt" keyfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key" randfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/random" require_cert = "never" } basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" groupmembership_attribute = "*" dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = yes do_xlat = yes set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x285164a0 Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/pbi/freeradius-i386/etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/pbi/freeradius-i386/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/server_key.pem" certificate_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/server_cert.pem" CA_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_cert.pem" private_key_password = "whatever" dh_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/dh" random_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/pbi/freeradius-i386/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/pbi/freeradius-i386/etc/raddb/huntgroups" hints = "/usr/pbi/freeradius-i386/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/huntgroups reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/pbi/freeradius-i386/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = yes } Module: Instantiating module "ntdomain" from file /usr/pbi/freeradius-i386/etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = yes } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/pbi/freeradius-i386/etc/raddb/modules/files files { usersfile = "/usr/pbi/freeradius-i386/etc/raddb/users" acctusersfile = "/usr/pbi/freeradius-i386/etc/raddb/acct_users" preproxy_usersfile = "/usr/pbi/freeradius-i386/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/users reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/acct_users reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/preproxy_users Module: Linked to module rlm_checkval Module: Instantiating module "checkval" from file /usr/pbi/freeradius-i386/etc/raddb/modules/checkval checkval { item-name = "Calling-Station-Id" check-name = "Calling-Station-Id" data-type = "string" notfound-reject = no } rlm_checkval: Registered name Calling-Station-Id for attribute 31 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/pbi/freeradius-i386/etc/raddb/modules/detail detail { detailfile = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "datacounterdaily" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacounterdaily { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterweekly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacounterweekly { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacountermonthly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacountermonthly { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterforever" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacounterforever { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/pbi/freeradius-i386/etc/raddb/modules/radutmp radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Instantiating module "attr_filter.pre-proxy" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.pre-proxy { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "attr_filter.post-proxy" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.post-proxy { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs" key = "%{Realm}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 192.168.56.1 port = 1812 } listen { type = "acct" ipaddr = 192.168.56.1 port = 1813 } Listening on authentication address 192.168.56.1 port 1812 Listening on accounting address 192.168.56.1 port 1813 Listening on proxy address 192.168.56.1 port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=24, length=71 User-Name = "administrator" User-Password = "jet10520b" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "administrator", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "administrator", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> administrator [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 0 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as cn=pfsense,cn=Users,dc=jetdom,dc=local/Tramontane10520 to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=internetaccess)(|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) rlm_ldap::ldap_groupcmp: User found in group internetaccess [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] Pairs do not match. Rejecting user. [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = reject ++} # policy redundant = reject +} # group authorize = reject expand: -> Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Using Post-Auth-Type REJECT # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 24 to 192.168.56.1 port 1783 rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=24, length=71 Sending duplicate reply to client squid port 1783 - ID: 24 Sending Access-Reject of id 24 to 192.168.56.1 port 1783 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=25, length=71 User-Name = "administrator" User-Password = "jet10520b" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "administrator", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "administrator", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> administrator [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=internetaccess)(|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) rlm_ldap::ldap_groupcmp: User found in group internetaccess [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] Pairs do not match. Rejecting user. [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = reject ++} # policy redundant = reject +} # group authorize = reject expand: -> Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Using Post-Auth-Type REJECT # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 25 to 192.168.56.1 port 1783 rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=25, length=71 Sending duplicate reply to client squid port 1783 - ID: 25 Sending Access-Reject of id 25 to 192.168.56.1 port 1783 Waking up in 1.7 seconds. rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=26, length=71 User-Name = "administrator" User-Password = "jet10520b" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "administrator", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "administrator", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> administrator [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=internetaccess)(|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) rlm_ldap::ldap_groupcmp: User found in group internetaccess [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] Pairs do not match. Rejecting user. [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = reject ++} # policy redundant = reject +} # group authorize = reject expand: -> Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Using Post-Auth-Type REJECT # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 26 to 192.168.56.1 port 1783 Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=26, length=71 Sending duplicate reply to client squid port 1783 - ID: 26 Sending Access-Reject of id 26 to 192.168.56.1 port 1783 Waking up in 0.7 seconds. Cleaning up request 0 ID 24 with timestamp +13 Waking up in 3.2 seconds. Cleaning up request 1 ID 25 with timestamp +17 Waking up in 0.9 seconds. Cleaning up request 2 ID 26 with timestamp +18 Ready to process requests. On Thu, Mar 26, 2015 at 12:56 PM, Jose Torres-Berrocal < jetsystemservices@gmail.com> wrote:
For the group/user attribute properties I see that probably this come from Linux. If you can tell me the Linux command used to get that, I can search the Web for the MS equivalent. On Mar 26, 2015 9:54 AM, "Jose Torres-Berrocal" < jetsystemservices@gmail.com> wrote:
Thank you for the description of the attribute parameter. I began to understand it. If I end using the attribute parameter it would be "cn", and the value "InternetAccess" as that is the group name. In which parameter I should write the value and what syntax on both?
In terms of the base_filter, still do not understand it, as I do not have a radiusprofile, but using it in my config as default. On pfsense I leave this parameter empty, but the generated Conf file includes it. Even though I do not have a radiusprofile I successfully match my users/password against AD. So it seems to be ignored.
As the Groups/Users attributes example you ask, I need help getting that. I just create the Group with the AD defaults using the MS AD GUI, and assign the user as a member without any fancy stuff. On Mar 26, 2015 8:52 AM, "Ben Humpert" <ben@an3k.de> wrote:
2015-03-26 3:20 GMT+01:00 Jose Torres-Berrocal < jetsystemservices@gmail.com>:
I have setup the group in groupmembership_attribute as a naive intent to accomplish my goal. If that is not the correct parameter I will really appreciate your help on where I should set my Group and the syntax.
Well, the setting clearly asks for an attribute such as sAMAccountName or userPassword. The name of a group is a value, the value of the attribute cn. So yes, it is not the correct parameter ;)
On my first email I included my LDAP.conf file as generated by pfsense.
I think is closed as needed because I was successful matching user/pass with AD when group membership_attribute is default, but for all Users. Now I need to change it to consider the Group.
Setting up user authentication is kind of simple. You just need to match the basedn, filter and base_filter to your directory and that's it. After understanding how these settings are merged into a search request it is also easy to set up group authentication. I did so after working with XLAT, now it's easy for me but before I had no clue at all what I was doing :) What helped me much was the information that unlike in databases like *SQL you always want to get only ONE result in Directories, thus the filter needs to be as strict as required to only find one user or group. If you would find more how should Radius know which is the correct entry?
The original ldap file says the following about membership_filter
"Filter to find group objects a user is a member of. That is, group objects with attributes that identify members (the inverse of membership_attribute)."
and this about membership_attribute
"The attribute in user objects which contain the names or DNs of groups a user is a member of. Unless a conversion between group name and group DN is needed, there's no requirement for the group objects referenced to actually exist."
That means that if your groups have attributes which contain the names or uids of the users that are member of that group you do not use membership_attribute but membership_filter. If instead your users have attributes containing the names or gids of the groups the user is member of then you use membership_attribute instead of membership_filter.
What is the case in your setup? Could you post an example of a group and as well an user like the one below?
# Guest, Groups, example.com dn: cn=Guest,ou=Groups,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: radiusProfile cn: Guest gidNumber: 17068 memberUid: guest memberUid: tobtsc memberUid: marhab
# guest, Users, example.com dn: uid=guest,ou=Users,dc=example,dc=com objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: radiusProfile gidNumber: 0 uid: guest uidNumber: 18459 dialupAccess: Yes cn: Guest
As you can see, the attribute "memberUid" is used to store the names of those users who are member of the group Guest, thus membership_attribute is not in use in my setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html