OK. Lets try again. I think one coffusion is that Radius has a setting called Groupname attribute. I am talking about the Group name in Active Directory as Domain Admins, Administrators, etc. Let say that the AD/LDAP groups are called Wingroups, and Wingroup name is for instance Domain Admins. In my case I want to use the Wingroup InternetAccess. I do not know how to make aside the conffusion on Authorization and Authentication, but let say that Authentication is having a process where the username/password combination values that are received in the connection request is verified against the LDAP and if found it is say to be Authenticated succesfully otherwise failed. I know there are other types of Authentications but I want to keep it simple. Now, Authorization is the process to allow or denied the request to connect. I now there are branches to this, but for simplicity I would like to keep it in that. Then, I want to allow connection to requests that have a username/password combination authenticated succesfully against an LDAP (Windows AD) and which user belongs to Wingroup InternetAccess. I have being succesfull allowing connection by username/password or by the user belonging to Wingroup, but not at the same time. Those are the debugs I already sent you. When I set the Group name attribute, groupmembership_filter and groupmembership_attribute (Which is what I call using group options) I am succesfull allowing/denied connection by the user belonging to the Wingroup, but it currently ignores the password. When I comment the Group name attribute, groupmembership_attribute, etc (Which is what I call not using group options), I am succesfull allowing/denied connection by the username/password, but clearly does not work with the Wingroup. I have being playing with the Users.conf file and I think is really close for what I need, not sure if it is the correct way. ==================================================== /usr/pbi/freeradius-i386/etc/raddb/users "test" Cleartext-Password := "squidtest" DEFAULT Ldap-Group != "InternetAccess", Auth-Type := Reject Ldap-Group == "InternetAccess", Auth-Type := LDAP ==================================================== Debug output that closely do what I want. Ii is long because is showing on the same run four (4) tests. 1. Username/password combination found in LDAP but NOT in Wingroup. 2. Username/password combination not found in LDAP but in Wingroup 3. Username/password combination found in LDAP and in Wingroup 4. Username/password combination not found in LDAP and not in Wingroup basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/users [/usr/pbi/freeradius-i386/etc/raddb/users]:5 WARNING! Check item "Ldap-Group" found in reply item list for user "DEFAULT". This attribute MUST go on the first line with the other check items reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/acct_users reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/preproxy_users Listening on authentication address 192.168.56.1 port 1812 Listening on accounting address 192.168.56.1 port 1813 Listening on proxy address 192.168.56.1 port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=29, length=65 User-Name = "normal1" User-Password = "Tramontane10520" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "normal1", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "normal1", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> normal1 [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=normal1) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 0 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as cn=pfsense,cn=Users,dc=jetdom,dc=local/Tramontane10520 to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=normal1) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dNormaluser\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dNormaluser\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dNormaluser\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dNormaluser\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Normaluser,CN=Users,DC=jetdom,DC=local, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [sql] expand: %{User-Name} -> normal1 [sql] sql_set_user escaped user --> 'normal1' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'normal1' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'normal1' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User normal1 not found +++[sql] = notfound ++} # policy redundant = notfound ++policy redundant { [ldap] performing user authorization for normal1 [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> normal1 [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=normal1) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=normal1) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. expand: -> Login incorrect: [normal1] (from client squid port 111) Using Post-Auth-Type REJECT # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> normal1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 29 to 192.168.56.1 port 1140 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=29, length=65 Sending duplicate reply to client squid port 1140 - ID: 29 Sending Access-Reject of id 29 to 192.168.56.1 port 1140 Waking up in 4.9 seconds. Cleaning up request 0 ID 29 with timestamp +25 Ready to process requests. rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=30, length=71 User-Name = "administrator" User-Password = "password" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "administrator", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "administrator", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> administrator [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Administrator,CN=Users,DC=jetdom,DC=local, with filter (objectclass=*) [ldap] performing search in CN=InternetAccess,CN=Users,DC=jetdom,DC=local, with filter (cn=InternetAccess) rlm_ldap::ldap_groupcmp: User found in group InternetAccess [ldap] ldap_release_conn: Release Id: 0 ++[files] = noop ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'administrator' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'administrator' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 [sql] User administrator not found +++[sql] = notfound ++} # policy redundant = notfound ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group LDAP { [ldap] login attempt by "administrator" with password "password" [ldap] user DN: CN=Administrator,CN=Users,DC=jetdom,DC=local [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 1 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as CN=Administrator,CN=Users,DC=jetdom,DC=local/password to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind failed with invalid credentials ++[ldap] = reject +} # group LDAP = reject Failed to authenticate the user. expand: -> Login incorrect ( [ldap] Bind as user failed): [administrator] (from client squid port 111) Using Post-Auth-Type REJECT # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 30 to 192.168.56.1 port 1140 rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=30, length=71 Sending duplicate reply to client squid port 1140 - ID: 30 Sending Access-Reject of id 30 to 192.168.56.1 port 1140 Waking up in 4.9 seconds. Cleaning up request 1 ID 30 with timestamp +35 Ready to process requests. rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=31, length=71 User-Name = "administrator" User-Password = "jet10520b" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "administrator", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "administrator", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> administrator [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Administrator,CN=Users,DC=jetdom,DC=local, with filter (objectclass=*) [ldap] performing search in CN=InternetAccess,CN=Users,DC=jetdom,DC=local, with filter (cn=InternetAccess) rlm_ldap::ldap_groupcmp: User found in group InternetAccess [ldap] ldap_release_conn: Release Id: 0 ++[files] = noop ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'administrator' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'administrator' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 [sql] User administrator not found +++[sql] = notfound ++} # policy redundant = notfound ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group LDAP { [ldap] login attempt by "administrator" with password "jet10520b" [ldap] user DN: CN=Administrator,CN=Users,DC=jetdom,DC=local [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 1 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as CN=Administrator,CN=Users,DC=jetdom,DC=local/jet10520b to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user administrator authenticated succesfully ++[ldap] = ok +} # group LDAP = ok expand: -> Login OK: [administrator] (from client squid port 111) # Executing section post-auth from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group post-auth { ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' [sql] expand: %{User-Password} -> jet10520b [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-22 17:13:08') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-22 17:13:08') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 +++[sql] = ok ++} # policy redundant = ok ++[exec] = noop +} # group post-auth = ok Sending Access-Accept of id 31 to 192.168.56.1 port 1140 Finished request 2. Going to the next request Waking up in 4.8 seconds. Cleaning up request 2 ID 31 with timestamp +46 Ready to process requests. rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=32, length=64 User-Name = "carlos" User-Password = "casas" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "carlos", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "carlos", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> carlos [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=carlos) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=carlos) [ldap] object not found rlm_ldap::ldap_groupcmp: search failed [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [sql] expand: %{User-Name} -> carlos [sql] sql_set_user escaped user --> 'carlos' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlos' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'carlos' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'carlos' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 +++[sql] = ok ++} # policy redundant = ok ++policy redundant { [ldap] performing user authorization for carlos [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> carlos [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=carlos) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=carlos) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = notfound ++} # policy redundant = notfound rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. expand: -> Login incorrect ( [ldap] User not found): [carlos] (from client squid port 111) Using Post-Auth-Type REJECT # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> carlos attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 32 to 192.168.56.1 port 1140 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=32, length=64 Sending duplicate reply to client squid port 1140 - ID: 32 Sending Access-Reject of id 32 to 192.168.56.1 port 1140 Waking up in 4.9 seconds. Cleaning up request 3 ID 32 with timestamp +74 Ready to process requests.