Cisco to FreeRadius to AD-LDAP authentication
I have tried and nearly completely succeeded in authentication and authorization. The user is identified in LDAP just not provided access (rad_recv: Access-Reject packet from host 10.1.1.27:1812, id=121, length=20). Another issue I have is with the user login. In Windowz, a new user is created by providing the First name, middle initial and last name which is not their "User logon name". These credentials are distributed within AD-LDAP in the "CN=" fields using spaces to break the name. If this is not exactly how the "User logon name" is installed then radius request rejects authentication. An example would be: User Tom Thumb Logon tthumb CN=Tom Thumb sAMAccountName=radtest So when a request of the database occurrs using ldap lookup with "cn=tthumb" it fails and I do not know if there is another way around this but using sAMAccountName doesn't work either. I am hopeful that I am missing something. My question is, how do I get an "Accept" from the request and is there a way around the basedn naming conventions that will alllow FreeRadius to work with Windowz? Below is user "testing" with a logon of "testing". rlm_ldap: - authorize rlm_ldap: performing user authorization for testing radius_xlat: '(cn=testing)' radius_xlat: 'ou=xxxx0,dc=xxxx1,dc=xxxx2,dc=EDU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to xxxx1.xxxx2.EDU:389, authentication 0 rlm_ldap: bind as superuser@xxxx1.xxxx2.edu/password <mailto:superuser@xxxx1.xxxx2.edu/password> to xxxx1.xxxx2.EDU:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=xxxx0,dc=xxxx1,dc=xxxx2,dc=EDU, with filter (cn=testing) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 10.1.1.27:32803, id=121, length=59 Sending Access-Reject of id 121 to 10.1.1.27:32803 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 121 with timestamp 43c2d99f Nothing to do. Sleeping until we see a request.
"Dickson, John" <JDickson2@mccneb.edu> wrote:
rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory...
The user's clear-text password wasn't obtained from the LDAP server. This is to be expected in AD, as it doesn't supply them, ...
rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: group authenticate returns notfound for request 0
This message should be clear: the user isn't found in /etc/passwd.
My question is, how do I get an "Accept" from the request and is there a way around the basedn naming conventions that will alllow FreeRadius to work with Windowz?
The issue here isn't with basedn naming conventions. It's that you haven't set up FreeRADIUS to ask AD about authenticating the user. If the users log in with clear-text passwords, my suggestion is to set up rlm_smb, and point it to the domain controller. That will let FreeRADIUs use AD for authentication. Alan DeKok.
participants (2)
-
Alan DeKok -
Dickson, John