At 04:48 PM 8/24/2010, Rick Steeves wrote:
I authenticate VPN users where the VPN Server authenticates against a LDAP server and FreeRadius 2.1.8 on CentOS. That generally, works fine. I'm using a user account to authenticate the radius server against AD for the queries.
What's odd is tho the other user accounts work, I can't authenticate with that actual user account (even though it's in the same Security group). Multiple other users in the security group VPN_Users work.
I tracked down where this is different. In huntgroups I have: VPN_Huntgroup NAS-IP-Address == x.x.x.x In users I have: DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users" Reply-Message := "Authorized Users Only" For a normal user, I see: Tue Aug 24 17:02:32 2010 : Info: ++- if (Huntgroup-Name == "VPN_Huntgroup") returns ok Tue Aug 24 17:02:32 2010 : Info: Found Auth-Type = MSCHAP Tue Aug 24 17:02:32 2010 : Info: +- entering group MS-CHAP {...} But if the LDAP service account connects with the VPN_Huntgroup set, I see: Tue Aug 24 16:41:57 2010 : Info: ++- if (Huntgroup-Name == "VPN_Huntgroup") returns reject Tue Aug 24 16:41:57 2010 : Auth: Invalid user: [_sonicwall] (from client VPN_SOHO port 0) If I remove VPN_Huntgroup NAS-IP-Address == x.x.x.x I from huntgroups, the normal accounts still work and log the same, but the LDAP service account now looks like the normal users account in the logs, and defaults to MSCHAP and then everything is ok. As always, no idea why. Any insights appreciated for why that account behaves differently. Thx. Rick