I'm trying to get Freeradius configured to authenicate our vpn users from a Cisco 3005 concentrator against Active Directory using the ldap module. When I authenicated a vpn user on a per user basis - it works fine. However, I want authenicate not only the user, but also verify that the user is a member of a "group" in active directory. I was following Dustin Doris's suggestion on Per-Client "group" matching and configured the huntgroups, users, and radiusd.conf accordingly. However, it seems to fail doing a group lookup. I don't know if it matters, but the user object and group object in Active Directory are in different containers (OU's). Any help would be appreciated. Thanks Robert Graham ########## Debug out: ########## rad_recv: Access-Request packet from host 172.16.1.91:1054, id=40, length=119 User-Name = "rgraham" User-Password = "XXXXXXXXXX" NAS-Port = 1036 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "192.168.15.1" Calling-Station-Id = "192.168.15.2" Tunnel-Client-Endpoint:0 = "192.168.15.2" NAS-IP-Address = 172.16.1.91 NAS-Port-Type = Virtual rad_lowerpair: User-Name now 'rgraham' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for rgraham radius_xlat: '(sAMAccountName=rgraham)' radius_xlat: 'ou=mem users,dc=mem-ins,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to mem_co_dept1.mem-ins.com:389, authentication 0 rlm_ldap: bind as cn=administrator,ou=admin,ou=mem users,dc=mem-ins,dc=com/XXXXXXXXXX to mem_co_dept1.mem-ins.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=mem users,dc=mem-ins,dc=com, with filter (sAMAccountName=rgraham) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user rgraham authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "rgraham", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=mem users,dc=mem-ins,dc=com' radius_xlat: '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mem users,dc=mem-ins,dc=com, with filter (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a member. users: Matched DEFAULT at 166 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 40 to 172.16.1.91:1054 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 40 with timestamp 42b1c93a Nothing to do. Sleeping until we see a request. ############ Users file: ############ DEFAULT Huntgroup-Name == vpnusers, LDAP-Group == MEMVPNFlex, Auth-Type := LDAP OU = TestGroup Fall-Through = 1 ############ huntgroup ############ vpnusers NAS-IP-Address == 172.16.1.91 ####################### ldap section of radiusd.conf ####################### ldap { server = "mem_co_dept1.mem-ins.com" basedn = "ou=mem users,dc=mem-ins,dc=com" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" identity = "cn=administrator,ou=admin,ou=mem users,dc=mem-ins,dc=com" password = XXXXXXXXXX start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 }