Adam Schappell wrote:
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
What mech do you want to use in the inner channel (within EAP-TTLS)? Since my OpenLDAP server only has hashed passwords I'm using PAP with Auth-Type LDAP inside EAP-TTLS. pap seems not to be configured in your inner-tunnel. Your mileage may vary.
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=CORP\5caschappell)
[ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (sAMAccountName=CORP\5caschappell)
[ldap] object not found
Why the hell did you enter the user name with NETBIOS domain prefix? FreeRADIUS is *not* a typical Windows component using the Windows-CrackNames-API. So just enter "aschappell" (without the quotes) as user name. Sorry, you should try to read more of the numerous public how-tos describing how to attach FreeRADIUS to MS AD and analyze which mechs are used. (I'm also rather a FreeRADIUS beginner and I read many of those how-tos recently.) Ciao, Michael.