I followed the directions in that link prior to emailing the group. For some reason, it still isn't working as expected. If I put this line at the top of the users file, VPN users and Cisco exec users are able to authenticate with their AD account. DEFAULT Auth-Type = ntlm_auth This is the debug output from a successful auth: rad_recv: Access-Request packet from host w.x.y.z port 1645, id=33, length=86 User-Name = "mphillips" User-Password = "xxxx" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "w.x.y.z" NAS-IP-Address = w.x.y.z +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "mphillips", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = ntlm_auth +- entering group ntlm_auth {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=mphillips [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxx Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok Login OK: [mphillips] (from client Access-Layer-Switch1 port 1 cli w.x.y.z) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 33 to w.x.y.z port 1645 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 33 with timestamp +16 Ready to process requests. Technically, this is all I need; this seems like a hacked way of doing things, though and I want to understand the operations of the server better. I commented out the pap and unix modules in ../sites-enabled/inner-tunnel and default and I also removed the DEFAULT line from the top of the users file. Now I get this debug output: rad_recv: Access-Request packet from host w.x.y.z port 1645, id=34, length=86 User-Name = "mphillips" User-Password = "xxxx" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "w.x.y.z" NAS-IP-Address = w.x.y.z +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "mphillips", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [mphillips/xxxx] (from client Access-Layer-Switch1 port 1 cli w.x.y.z) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> mphillips attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 34 to 10.200.1.4 port 1645 Waking up in 4.6 seconds. Cleaning up request 0 ID 34 with timestamp +12 Ready to process requests. Thanks for any assistance. -Mike
Date: Thu, 19 Nov 2009 22:30:50 +0000 Subject: Re: need help authenticating against AD From: tnt@kalik.net To: freeradius-users@lists.freeradius.org
I need some help authenticating against AD. I have followed directions online as best as I can, but things still aren't working as expected.
These:
http://deployingradius.com/documents/configuration/active_directory.html
I'm ultimately hoping to have our VPN users and admins logging into Cisco network equipment authenticate against AD through our FreeRADIUS 2 installation. Today, I have been testing authentication from one of Cisco switches, and I continually receive this basic output:
You are not authenticating against AD. You are authenticating against local system file: ...
Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated ... Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password "xxxx" Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption. Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match
... and the password isn't correct.
I can't tell from this output if the RADIUS server is ever even attempting to reach AD.
It isn't.
Obviously, if I enter the correct password for my username on the RADIUS server itself, authentication will succeed, but this is not the desired behavior at this time.
Comment out unix in authorize then. If you follow the guide this will work with Auth-Type := ntlm_auth in users file.
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Hotmail: Trusted email with Microsoft's powerful SPAM protection. http://clk.atdmt.com/GBL/go/177141664/direct/01/ http://clk.atdmt.com/GBL/go/177141664/direct/01/