Dear Good Peoples Greetings

Version Information: FreeRADIUS 2.2.0. 

Question: What does the following means? Is it not authentication area in "default" virtual server? i have listed "ldap" there. 

1.) rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section.


2.) i have one Linux open-ldap server, FreeRADIUS Auth works from that LDAP server, with following configuration. Please note, the passport storage in destination Linux LDAP Server is cleartext. i do check using the following command.

 radtest mike aabb88@ localhost 1812 HYbbunINFDR$88 

# CentOS Open-ldap Server

        server = "ldapserver-mydomain.net"

        identity = "cn=Administrator,dc=ldap-mydomain,dc=net"

        password = "password"

        basedn = "dc=mydomain,dc=net"

        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

        base_filter = "(objectclass=radiusprofile)"

 

i receive, access Accept !!! - NO problem


3.) When i do user query from FreeRADIUS to Windows Domain Controller Server 2012 x64. 

# Windows Domain Controller Server 2012 64-Bit AD 

        server = "ldap-mydomain.com"

        identity = "cn=Administrator,cn=Users,dc=ldap-mydomain,dc=com"

        password = "password"

        basedn = "dc=ldap-mydomain,dc=com"


# Enable One Filter Only

        #filter = "(SamAccountName=%u)"

         filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"

 

3a) Following is the out-put with REJECT access, Perhaps because password storage in AD is not clear text, is it due to that? Perhaps it cannot be tested with redtest?  i am using the following to test, is it correct test

 radtest mike aabb88@ localhost 1812 HYbbunINFDR$88

4.) rad_recv: Access-Request packet from host 127.0.0.1 port 46861, id=137, length=75

        User-Name = "mike"

        User-Password = "aabb88@"

        NAS-IP-Address = 14.14.14.14

        NAS-Port = 1812

        Message-Authenticator = 0x4a3417dcf9e80de96f2274fbfa6f5c4d

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[digest] returns noop

[suffix] No '@' in User-Name = "mike", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

[ldap] performing user authorization for mike

[ldap]  expand: (SamAccountName=%u) -> (SamAccountName=mike)

[ldap]  expand: dc=ldap-teledataict,dc=com -> dc=ldap-teledataict,dc=com

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] attempting LDAP reconnection

  [ldap] (re)connect to ldap-mydomain.net:389, authentication 0

  [ldap] bind as cn=Administrator,cn=Users,dc=ldap-teledataict,dc=com/rootadmin to ldap-mydomain.net:389

  [ldap] waiting for bind result ...

  [ldap] Bind was successful

  [ldap] performing search in dc=ldap-teledataict,dc=com, with filter (SamAccountName=mike)

[ldap] No default NMAS login sequence

[ldap] looking for check items in directory...

[ldap] looking for reply items in directory...

WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?

[ldap] user mike authorized to use remote access

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns ok

rlm_sqlcounter: Entering module authorize code

rlm_sqlcounter: Could not find Check item value pair

++[dailycounter] returns noop

rlm_sqlcounter: Entering module authorize code

rlm_sqlcounter: Could not find Check item value pair

++[forevertimecounter] returns noop

++[expiration] returns noop

++[logintime] returns noop

rlm_sqlcounter: Entering module authorize code

rlm_sqlcounter: Could not find Check item value pair

++[gigawordcounter] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] returns noop

ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user   

Failed to authenticate the user.

Using Post-Auth-Type REJECT

# Executing group from file /etc/freeradius/sites-enabled/auth_all

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> mike

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 0 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 0

Sending Access-Reject of id 137 to 127.0.0.1 port 46861

Waking up in 4.9 seconds.

Cleaning up request 0 ID 137 with timestamp +3

Ready to process requests.


Thanks / Regards