At 11:13 PM 11/29/2009, freeradius@corwyn.net wrote: A resummary: Goal: Authenticate and Authorize users that telnet into the switches in Groups A and/or B based on their inclusion in a specific AD security group for A & B . Environment: CentOS 5.2 (IP 10.10.0.1) freeradius2-2.1.7-2.el5 freeradius2-utils-2.1.7-2.el5 freeradius2-libs-2.1.7-2.el5 freeradius2-ldap-2.1.7-2.el5 Cisco switch running IOS 12.4 in subnet A (10.100.0.0/24) Cisco switch running IOS 12.4 in subnet B (10.101.0.0/24) windows Active Directory (example.com) with Security Groups A & B Add to modules{} inradiusd.conf: exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=example.com --username=%{mschap:User-Name} --password=%{User-Password}" } Copy: ./raddb/sites-available/default to ./raddb/sites-available/server_A and link it to ./raddb/sites-enabled/server_A ./raddb/sites-available/default to ./raddb/sites-available/server_B and link it to ./raddb/sites-enabled/server_B and then surround the contents of those files with server server_A {..} and server server_B {..} respectively Add to the authenticate{} section of ./server_A and ./server_B : ntlm_auth Edit ./modules/ldap to: ldap { server = "example.com" identity = "CN=user,OU=Enterprise,DC=example,DC=com" password = xxx basedn = "OU=Enterprise,DC=example,DC=com" filter = (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) groupmembership_filter ="(&(objectClass=group)(member=%{Ldap-UserDn}))" groupmembership_attribute = "memberOf" groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" ... } Add to top of ./raddb/users: DEFAULT Ldap-Group == "UserGroup",Service-Type = NAS-Prompt-User,cisco-avpair = "shell:priv-lvl=15" DEFAULT Auth-Type = ntlm_auth Add to ./raddb/cilents.conf: clients disambiguate { client localhost { # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) ipaddr = 127.0.0.1 client Cisco_A { ipaddr = 10.101.0.0 netmask = 24 secret = testing123 virtual_server = server_A } client Cisco_B { ipaddr = 10.100.0.0 netmask = 24 secret = testing123 virtual_server = server_B } Add to the listen{} section of radiusd.conf: clients = disambiguate On the cisco switches A & B: aaa new-model aaa group server radius RAD server 10.10.0.1 auth-port 1812 acct-port 1813 ! aaa authentication login default group radius line aaa authentication enable default group radius enable aaa authorization exec default group radius none radius-server host 10.10.0.1 auth-port 1812 acct-port 1813 timeout 3 radius-server retransmit 2 radius-server key 7 encrypted-secret that configuration still fails to authorize, even tho the output of radiusd -X looks like its working (sanitized) rad_recv: Access-Request packet from host 10.100.0.8 port 1812, id=80, length=79 NAS-IP-Address = 10.100.0.8 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "testuser" Calling-Station-Id = "10.100.0.5" User-Password = "password" server server_cisco { +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop rlm_ldap: Entering ldap_groupcmp() [files] expand: OU=Enterprise,DC=example,DC=com -> OU=Enterprise,DC=example,DC=com [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] expand: (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) -> (&(sAMAccountname=testuser)(objectClass=person)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to example.com:389, authentication 0 rlm_ldap: bind as CN=_radiususer,OU=Enterprise,DC=example,DC=com/wxxxxx to example.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with filter (&(sAMAccountname=testuser)(objectClass=person)) rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dRick\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRickOU\3dUsers\2cOU\3dEnterprise\DC\3dexample\2cDC\3dcom))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with filter (&(cn=Infrastructure)(|(&(objectClass=GroupOfNames)(member=CN\3dRick\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRick\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=Rick,OU=Enterprise,DC=example,DC=com, with filter (objectclass=*) rlm_ldap: performing search in CN=Infrastructure,OU=Security Groups,OU=Enterprise,DC=example,DC=com, with filter (cn=Infrastructure) rlm_ldap::ldap_groupcmp: User found in group Infrastructure rlm_ldap: ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] returns ok [ldap] performing user authorization for testuser [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) -> (&(sAMAccountname=testuser)(objectClass=person)) [ldap] expand: OU=Enterprise,DC=example,DC=com -> OU=Enterprise,DC=example,DC=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with filter (&(sAMAccountname=testuser)(objectClass=person)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=testuser [ntlm_auth] expand: --password=%{User-Password} -> --password=password Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok +- entering group post-auth {...} ++[exec] returns noop } # server server_cisco Sending Access-Accept of id 80 to 10.100.0.8 port 1812 Finished request 0. Going to the next request Waking up in 5.0 seconds. Cleaning up request 0 ID 80 with timestamp +7 Ready to process requests. If I removing authorization from the Cisco config to: no aaa authorization exec default group radius none and then I can log in. At the top of ./users: rsteeves Cleartext-Password := "xxx" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" also succeeds in logging in, so the issues are in ldap somewhere. But I feel like I'm CLOSE.