I would like to say thanks to the forum, my problem was solved for information this is what I had to configure to get it all working my only bit of concern was a warning message: [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details but I'll check that out later. Make sure everything else is working fine via your AD + ntlm_auth I added additional items to the ldap attributes file /etc/raddb/ldap.attrmap ldap.attrmap-file amendments #added Tunnel attributes 17-01-09 replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId replyItem Tunnel-Type radiusTunnelType #I added the Ldap-Group attribute to the top of my users file /etc/raddb/users #I have two groups configured on my test AD, and will search both DEFAULT Ldap-Group == "dmwc-m" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = videoNet, Tunnel-type = VLAN DEFAULT Ldap-Group == "dmwc-s" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = staff, Tunnel-type = VLAN ## I have cisco kit so use the name of the vlan not it's vlan number## ## My amendements to /etc/raddb/modules/ldap ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "10.10.6.131" #identity = "cn=admin,o=My Org,c=UA" identity = "cn=Administrator,cn=users,dc=MYDOMAIN,dc=co,dc=uk" password = yourADpassword basedn = "cn=users,dc=MYDOMAIN,dc=co,dc=uk" filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))" # Group membership checking. Disabled by default. groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" * ##My groupmembership differs from the example due to the way AD names it's objects##* groupmembership_filter = "(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))" ##My groupmembership_attribute differs from the example due to the way AD names it's objects## *##If you see my ldapsearch from the earlier post you'll know why##* # groupmembership_attribute = radiusGroupName groupmembership_attribute = memberOf #ldap_debug = 0x0028 #I wanted to see more detail from the ldap function so enabled debug## ldap_debug = 0xFFFF } I changed nothing else in this file, since I'm testing so not using LDAPS ## The only change in /etc/raddb/sites-enabled/default was uncomment the ldap section ## I left the authenticate section well alone, it stopped EAP when I started LDAP bit of it authorize { chap mschap eap { ok = return } # I have users in a SQL database, don't want AD messing it up# sql if (ok) { update control { MS-CHAP-Use-NTLM-Auth := No } } # I uncommented the ldap section## ldap files expiration logintime pap } ## The only change in /etc/raddb/sites-enabled/inner-tunnel was uncomment the ldap section authorize { authorize { chap mschap update control { Proxy-To-Realm := LOCAL } eap { ok = return } sql if (ok) { update control { MS-CHAP-Use-NTLM-Auth :=No } } # I uncommented the ldap section## ldap # Read the 'users' file files expiration logintime pap } This is an edited output from the radius debug [ldap] performing user authorization for radman02 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radman02)) [ldap] expand: cn=users,dc=crosstalk,dc=co,dc=uk -> cn=users,dc=crosstalk,dc=co,dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=users,dc=crosstalk,dc=co,dc=uk, with filter (&(sAMAccountName=radman02)) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user radman02 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_ldap: Entering ldap_groupcmp() [files] expand: cn=users,dc=crosstalk,dc=co,dc=uk -> cn=users,dc=crosstalk,dc=co,dc=uk [files] expand: (|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=group)(member=))(&(objectClass=top)( uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=users,dc=crosstalk,dc=co,dc=uk, with filter (&(cn=dmwc-m)(|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=radman02,CN=Users,DC=crosstalk,DC=co,DC=uk, with filter (objectclass=*) rlm_ldap: performing search in CN=DMWC-S,CN=Users,DC=crosstalk,DC=co,DC=uk, with filter (cn=dmwc-m) rlm_ldap: object not found or got ambiguous search result rlm_ldap::groupcmp: Group dmwc-m not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: cn=users,dc=crosstalk,dc=co,dc=uk -> cn=users,dc=crosstalk,dc=co,dc=uk [files] expand: (|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=group)(member=))(&(objectClass=top)( uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=users,dc=crosstalk,dc=co,dc=uk, with filter (&(cn=dmwc-s)(|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=radman02,CN=Users,DC=crosstalk,DC=co,DC=uk, with filter (objectclass=*) rlm_ldap: performing search in CN=DMWC-S,CN=Users,DC=crosstalk,DC=co,DC=uk, with filter (cn=dmwc-s) rlm_ldap::ldap_groupcmp: User found in group dmwc-s rlm_ldap: ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 7 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "staff" Tunnel-Type:0 = VLAN EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "radman02" [peap] Got tunneled reply RADIUS code 2 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "staff" Tunnel-Type:0 = VLAN EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "radman02" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 149 to 10.10.3.29 port 1645 EAP-Message = 0x010c002b19001703010020728cf1296a7fbd29a4fbdd91f4eb91f41556edff389bd508e76784386de2a70a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1092235a199e3a66f6b5d4d498ec03a0 Finished request 10. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 10.10.3.29 port 1645, id=150, length=222 User-Name = "radman02" Framed-MTU = 1400 Called-Station-Id = "0021.55ac.f2d2" Calling-Station-Id = "0013.498d.a61f" Service-Type = Login-User Message-Authenticator = 0xad3bca4d90af3e257cb1d6e093ce61b4 EAP-Message = 0x020c005019001703010020ed5d9b0cbdb88826957605ccde2fc1e9c6665da024547d82af4f555fafffad1c1703010020efd0be4bf53aa8c267d8f19e58f80f8bd907076fc9e236e910f4aff6b3 4f3027 NAS-Port-Type = Wireless-802.11 NAS-Port = 4380 NAS-Port-Id = "4380" State = 0x1092235a199e3a66f6b5d4d498ec03a0 NAS-IP-Address = 10.10.3.29 NAS-Identifier = "THEO" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "radman02", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} [sql] expand: %{User-Name} -> radman02 [sql] sql_set_user escaped user --> 'radman02' [sql] expand: %{User-Password} -> [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (us ername, pass, reply, authdate) VALUES ( 'radman02', '', 'Access-Accept', ' 2009-01-18 22:01:43') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'radman02', '', 'Access-Accept', '2009-01-18 22:01:43') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 150 to 10.10.3.29 port 1645 MS-MPPE-Recv-Key = 0x5624be3ba66dd23cd25917c57661775be5c44b565056f613bed23f4c00734d99 MS-MPPE-Send-Key = 0x6aed0e4c2a8dceafd68d6647931ec43eaa0b5ba7b9048c50b70702b86f9e6e59 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "radman02" Finished request 11. Going to the next request Waking up in 4.6 seconds. rad_recv: Accounting-Request packet from host 10.10.3.29 port 1646, id=31, length=223 Acct-Session-Id = "000010F0" Called-Station-Id = "0021.55ac.f2d2" Calling-Station-Id = "0013.498d.a61f" Cisco-AVPair = "ssid=metnet01" Cisco-AVPair = "vlan-id=40" Cisco-AVPair = "nas-location=unspecified" User-Name = "radman02" Cisco-AVPair = "connect-progress=Call Up" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 NAS-Port = 4380 NAS-Port-Id = "4380" Service-Type = Framed-User NAS-IP-Address = 10.10.3.29 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 4380,Client-IP-Address = 10.10.3.29,NAS-IP-Address = 10.10.3.29,Acct-Session-Id = "000010F0",User-Name = "radman02"' [acct_unique] Acct-Unique-Session-ID = "bca4df300dada0d6". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "radman02", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.10.3.29/detail-20090118 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.10.3.29/detail-20090118 [detail] expand: %t -> Sun Jan 18 22:01:43 2009 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> radman02 ++[radutmp] returns ok [sql] expand: %{User-Name} -> radman02 [sql] sql_set_user escaped user --> 'radman02' [sql] expand: %{Acct-Delay-Time} -> 0 [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutput octets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acct stopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{ NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '% {Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> radman02 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 31 to 10.10.3.29 port 1646 Finished request 12. Cleaning up request 12 ID 31 with timestamp +12 Going to the next request Waking up in 4.5 seconds. Cleaning up request 1 ID 140 with timestamp +12 Cleaning up request 2 ID 141 with timestamp +12 Cleaning up request 3 ID 142 with timestamp +12 Cleaning up request 4 ID 143 with timestamp +12 Cleaning up request 5 ID 144 with timestamp +12 Waking up in 0.1 seconds.