Thank you once again Alan. I know you probably have to "face palm" yourself sometimes when you see the same questions over and over. I appreciate your patience with me. I don't want someone to do it for me, I want to learn it so I can support it. I have decided to start fresh. I had clean copies of every file I've ever touched, so I'm going to try to tackle this sometime during the week. This Amazon AWS Cloud VPC isn't going to build itself :) -----Original Message----- From: freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, June 25, 2012 6:54 AM To: FreeRadius users mailing list Subject: Re: Can't figure out Group Authentication Julson, Jim wrote:
Okay, so I think I’m getting closer. But I have a few challenges still. I am slowly learning how to parse the RADIUS –X debug output, now it’s a matter of knowing what to do with the information.
Use the handy form at: networkradius.com/freeradius.html It tells you the important things to look at.
1. Domain Groups with spaces sometimes would or wouldn't work. (Is that the case with FreeRADIUS?)
It shouldn't be, but you never know.
2. Recursive searches were a problem. See below for how the basic Active Directory structure looks for us (Note the spaces in the names). For Cacti, I had to create a new OU, with a new Security Group that didn’t have spaces in it. That was the only way I could get LDAP Binds to work for Group Authentication. (I find it hard to belive that’s the case with FreeRADIUS…I tend to lean more towards my bad configuration).
Recursive searches are supported in FreeRADIUS. See the "rebind" configuration in the ldap module.
So, in that example, if I wanted to have a user be Authenticated who resides in “ADMIN – Users”, but the group is in “ADMIN – Groups”, does it matter to the RADIUS LDAP module?
It shouldn't.
NOTE: I am kind of lost here. I see so many people using so many different syntaxes that I’m not sure if I’m using the right one.
The documentation is correct. Almost every third-party site is wrong.
At present, the “users” file is completely default except for the following lines I’ve added at the very top. So, no matter what my LDAP output shows, If I uncomment the two lines for ntlm_auth, I can login with any Domain User regardless of the top 2 lines that say “Domain Admins”, and all others are rejected. So I’m thinking ultimately my problem is not just here, but also with the LDAP bind taking place as you can see below. ************************************** */etc/raddb/users** *
DEFAULT Ldap-Group == "CN=Domain Admins,CN=ADMIN - Groups,DC=DOMAIN,DC=HOME,DC=COM",
You just need the group name "admin" or "sales". Not the whole path.
Auth-Type = ntlm_auth DEFAULT Auth-Type = Reject
You don't need the default reject. The server will ALWAYS reject people it doesn't know.
Here’s the RADIUSD –X output from my last auth attempt.
BEGIN RADIUS – X DEBUG OUTPUT NOTE: I’ve changed all my domain information for this troubleshooting, and also highlighted anywhere it’s referenced. I’m hoping I’m On the right track with what I’ve highlighted below as to where I believe the problem is.
Part of the reason for the debug output is to show you what's going on. It prints out the LDAP queries it does. You can copy them, and use them in command-line tests with "ldapsearch". That helps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system.