Hello all, Situation is like this: FreeRADIUS server already installed with IP 192.168.81.12 and configured to authenticate against LDAP linux server with IP 192.168.92.25. Authentication is working fine. But we need to switch from Linux LDAP to MS AD based on Windows server 2022 on IP 192.168.92.14. I have configured Smaba on radius server to joint the AD and it's working fine. Radius server joined the Domain, commands like wbinfo –a example_user% mypassword or ntlm_auth –-request-nt-key –-domain=XYZDOM –-username=example_ user are working fine as well. However i have stuck on FreeRADIUS configuration. Configuration changes made: ##################################################### sites-enables/default In authorize section pap if (User-Password) { update control { Auth-Type := ldap } } In authenticate section authenticate { Auth-Type PAP { ldap } Uncommented word ldap on separate line in section Auth-Type LDAP # Auth-Type LDAP { ldap # } ##################################################### mods-enabled/ldap ip of ldap server changed to IP of new domain controler ldap { server = 'ldap://192.168.92.14' identity = 'adminusername@mydomain.com' password = adminpassword base_dn = 'dc=mydomain,dc=com' start_tls = no require_cert = 'allow' ##################################################### mods-enabled/eap eap { default_eap_type = peap } ttls { default_eap_type = gtc } tls-config tls-common { random_file = /dev/urandom } ##################################################### proxy.conf realm mydomain.com { } ##################################################### mods-enabled/mschap with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped- User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} -- nt-response=%{%{mschap:NT-Response}:-00} --domain=%{mschap:NT-Domain}" ##################################################### sites-enabled/inner-tunnel authorize { ... # Read the 'users' file files # <--- This one! ... } ##################################################### After all modyfications i started freeradius in degub mode freeradius -fxx -l stdout and issued radtest command: radtest myusername@mydomain.com mypassword localhost 10 testing123 This is output: ##################################################### (0) Received Access-Request Id 87 from 127.0.0.1:34561 to 127.0.0.1:1812 length 88 (0) User-Name = "myusername@mydomain.com" (0) User-Password = "mypassword" (0) NAS-IP-Address = 192.168.81.12 (0) NAS-Port = 10 (0) Message-Authenticator = 0xc529dae657c9aa6feb8b4e2e64bc950e (0) # Executing section authorize from file /etc/freeradius/sites-enabled/ default (0) authorize { (0) policy filter_eduroam_realms { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (!(&User-Name =~ /@/)){ (0) if (!(&User-Name =~ /@/)) -> FALSE (0) if (&User-Name =~ /@$/){ (0) if (&User-Name =~ /@$/) -> FALSE (0) if (&User-Name =~ /@.+?@/){ (0) if (&User-Name =~ /@.+?@/) -> FALSE (0) if (&User-Name =~ /@.+?[^[:alnum:]\.-]/){ (0) if (&User-Name =~ /@.+?[^[:alnum:]\.-]/) -> FALSE (0) if (&User-Name =~ /@[\.-]/){ (0) if (&User-Name =~ /@[\.-]/) -> FALSE (0) if (&User-Name =~ /@.+?[\.-]$/){ (0) if (&User-Name =~ /@.+?[\.-]$/) -> FALSE (0) if (&User-Name =~ /@[^\.]+$/){ (0) if (&User-Name =~ /@[^\.]+$/) -> FALSE (0) if (&User-Name =~ /@.+?\.\./){ (0) if (&User-Name =~ /@.+?\.\./) -> FALSE (0) if (&User-Name =~ /@myabc\.com$/i){ (0) if (&User-Name =~ /@myabc\.com$/i) -> FALSE (0) if (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3 gppnetwork\.org$/i){ (0) if (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3 gppnetwork\.org$/i) -> FALSE (0) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i){ (0) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) -> FALSE (0) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i){ (0) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) -> FALSE (0) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i){ (0) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) -> FALSE (0) if (&User-Name =~ /\.zc$/i){ (0) if (&User-Name =~ /\.zc$/i) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_eduroam_realms = notfound (0) policy filter_myusername { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_myusername = notfound (0) policy rewrite_calling_station_id { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2}) [^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2}) [^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy rewrite_calling_station_id = noop (0) policy operator-name.authorize { (0) if ("%{client:Operator-Name}") { (0) EXPAND %{client:Operator-Name} (0) --> (0) if ("%{client:Operator-Name}") -> FALSE (0) } # policy operator-name.authorize = noop (0) if (Calling-Station-Id !~ /^70-6F-6C-6/) { (0) ERROR: Failed retrieving values required to evaluate condition (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "mydomain.com" for User-Name = "myusername@ mydomain.com" (0) suffix: Found realm "mydomain.com" (0) suffix: Adding Stripped-User-Name = "myusername" (0) suffix: Adding Realm = "mydomain.com" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: Searching for user in group "gzkouska" rlm_ldap (ldap): Reserved connection (0) (0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) files: --> (uid=myusername) (0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid= myusername)", scope "sub" (0) files: Waiting for search result... Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC= ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC= DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC= cz" (-1: Can't contact LDAP server) (0) files: Search returned no results rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://192.168.92.14:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) files: Searching for user in group "ucitele-wifi" rlm_ldap (ldap): Reserved connection (1) (0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) files: --> (uid=myusername) (0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid= myusername)", scope "sub" (0) files: Waiting for search result... Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC= ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC= DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC= cz" (-1: Can't contact LDAP server) (0) files: Search returned no results rlm_ldap (ldap): Released connection (1) (0) files: Searching for user in group "kabinety" rlm_ldap (ldap): Reserved connection (2) (0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) files: --> (uid=myusername) (0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid= myusername)", scope "sub" (0) files: Waiting for search result... Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC= ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC= DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC= cz" (-1: Can't contact LDAP server) (0) files: Search returned no results rlm_ldap (ldap): Released connection (2) (0) files: Searching for user in group "zaci-wifi" rlm_ldap (ldap): Reserved connection (3) (0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) files: --> (uid=myusername) (0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid= myusername)", scope "sub" (0) files: Waiting for search result... Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC= ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC= DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC= cz" (-1: Can't contact LDAP server) (0) files: Search returned no results rlm_ldap (ldap): Released connection (3) (0) files: Searching for user in group "ucebny" rlm_ldap (ldap): Reserved connection (4) (0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) files: --> (uid=myusername) (0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid= myusername)", scope "sub" (0) files: Waiting for search result... Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC= ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC= DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC= cz" (-1: Can't contact LDAP server) (0) files: Search returned no results rlm_ldap (ldap): Released connection (4) (0) files: Searching for user in group "vpn-admin" rlm_ldap (ldap): Reserved connection (0) (0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) files: --> (uid=myusername) (0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid= myusername)", scope "sub" (0) files: Waiting for search result... Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC= ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC= DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC= cz" (-1: Can't contact LDAP server) (0) files: Search returned no results rlm_ldap (ldap): Released connection (0) (0) files: Searching for user in group "VPN-ucitele" rlm_ldap (ldap): Reserved connection (5) (0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) files: --> (uid=myusername) (0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid= myusername)", scope "sub" (0) files: Waiting for search result... Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC= ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC= DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC= cz" (-1: Can't contact LDAP server) (0) files: Search returned no results rlm_ldap (ldap): Released connection (5) (0) [files] = noop rlm_ldap (ldap): Reserved connection (1) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=myusername) (0) ldap: Performing search in "dc=gyrec,dc=cz" with filter "(uid= myusername)", scope "sub" (0) ldap: Waiting for search result... Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC= ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC= DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server) Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC= cz" (-1: Can't contact LDAP server) (0) ldap: Search returned no results rlm_ldap (ldap): Released connection (1) (0) [ldap] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> myusername@mydomain.com (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (Failed retrieving values required to evaluate condition): [myusername@mydomain.com] (from client localhost port 10) (0) Delaying response for 1.000000 seconds Thread 1 waiting to be assigned a request Waking up in 0.8 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 87 from 127.0.0.1:1812 to 127.0.0.1:34561 length 20 Waking up in 8.9 seconds. ##################################################### Could you help me and advice where can be problem and what kind of misconfiguration can cause ERROR: Failed retrieving values required to evaluate condition (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject errors? Thank you very much. Chucho Valdez