Hi, I am new user and using Freeradius first time. I have followed http://www.perkinsblog.net/blog/index.php/2010/02/freeradius-and-windows-ad/ I want to authenticate freeradius with my active directory. I want to assign Prev level 15 to Active directory user who are member of group CiscoAdmin and prev level 1 to member of CiscoOpetator. Freeradius is able to authenticate individual active directoty user, but when I configure LDAP group in users file it is not working. Logs are afollowing :- rad_recv: Access-Request packet from host 172.17.3.210 port 1645, id=177, length=82 NAS-IP-Address = 172.17.3.210 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "vijay.singh" Calling-Station-Id = "172.17.27.9" User-Password = "Password" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "vijay.singh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] Entering ldap_groupcmp() [files] expand: OU=Servers,dc=kochar,dc=com -> OU=Servers,dc=kochar,dc=com [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] ... expanding second conditional [files] expand: %{User-Name} -> vijay.singh [files] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=vijay.singh)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.17.3.223:389, authentication 0 [ldap] bind as CN=ADS Admin,OU=Servers,DC=kochar,DC=com/Password to 172.17.3.223:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter (&(sAMAccountName=vijay.singh)) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=group)(member=%Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=group)(member=/var/log/radiusdap-UserDn}))(&(objectClass=top)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter (&(cn=CiscoAdminLr)(|(&(objectClass=group)(member=/var/log/radiusdap-UserDn}))(&(objectClass=top)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Vijay Singh,OU=Servers,DC=kochar,DC=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for vijay.singh [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> vijay.singh [ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=vijay.singh)) [ldap] expand: OU=Servers,dc=kochar,dc=com -> OU=Servers,dc=kochar,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter (&(sAMAccountName=vijay.singh)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user vijay.singh authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "vijay.singh" with password "Password" [ldap] user DN: CN=Vijay Singh,OU=Servers,DC=kochar,DC=com [ldap] (re)connect to 172.17.3.223:389, authentication 1 [ldap] bind as CN=Vijay Singh,OU=Servers,DC=kochar,DC=com/Password to 172.17.3.223:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user vijay.singh authenticated succesfully ++[ldap] returns ok expand: Host %n% -> Host 172.17.3.210% Login OK: [vijay.singh] (from client Kipl Asr Network port 1 cli 172.17.27.9) Host 172.17.3.210% # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 177 to 172.17.3.210 port 1645 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 177 with timestamp +12 Ready to process requests. Can anyone help to get autheticattion working with active directory group? -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Not-working-properly-tp4593327p... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I have changed from %Ldap-UserDN to %{Ldap-UserDN} but still not able to login from my cisco switch. The logs are as following :- rad_recv: Access-Request packet from host 172.17.3.210 port 1645, id=184, length=82 NAS-IP-Address = 172.17.3.210 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "vijay.singh" Calling-Station-Id = "172.17.27.9" User-Password = "Password" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "vijay.singh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] Entering ldap_groupcmp() [files] expand: OU=Servers,dc=kochar,dc=com -> OU=Servers,dc=kochar,dc=com [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] ... expanding second conditional [files] expand: %{User-Name} -> vijay.singh [files] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=vijay.singh)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.17.3.223:389, authentication 0 [ldap] bind as CN=ADS Admin,OU=Servers,DC=kochar,DC=com/Password to 172.17.3.223:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter (&(sAMAccountName=vijay.singh)) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter (&(cn=CiscoAdminLr)(|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Vijay Singh,OU=Servers,DC=kochar,DC=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for vijay.singh [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> vijay.singh [ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=vijay.singh)) [ldap] expand: OU=Servers,dc=kochar,dc=com -> OU=Servers,dc=kochar,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter (&(sAMAccountName=vijay.singh)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user vijay.singh authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "vijay.singh" with password "Password" [ldap] user DN: CN=Vijay Singh,OU=Servers,DC=kochar,DC=com [ldap] (re)connect to 172.17.3.223:389, authentication 1 [ldap] bind as CN=Vijay Singh,OU=Servers,DC=kochar,DC=com/Password to 172.17.3.223:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user vijay.singh authenticated succesfully ++[ldap] returns ok expand: Host %n% -> Host 172.17.3.210% Login OK: [vijay.singh] (from client Kipl Asr Network port 1 cli 172.17.27.9) Host 172.17.3.210% # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 184 to 172.17.3.210 port 1645 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 184 with timestamp +14 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Not-working-properly-tp4593327p... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
I have changed from %Ldap-UserDN to %{Ldap-UserDN} but still not able to login from my cisco switch.
Sending Access-Accept of id 184 to 172.17.3.210 port 1645 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 184 with timestamp +14 Ready to process requests.
FR sent Access-Accept back. do you need to send other attributes back for access to the terminal via RADIUS? alan
Yes, I want to send other attributes back for access to the terminal via RADIUS i.e. user should get access to cisco device and get privilege level 15 or 1. The /etc/raddb/users entry is as following :- DEFAULT LDAP-Group == "CiscoAdminLr" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" But user is getting "% Authorization failed." -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Not-working-properly-tp4593327p... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, radiusd -X are you sure that your config isnt eg stripping cisco-avpair before the RADIUS accept packet is being sent to the device? alan
I have started Radius with radiusd -X After entering user name and password in cisco device it is giving "% Authorization failed." immediatley. The logs are as following. I don't know is it stripping cisco-avpair before the RADIUS accept packet are sent to device. How to check the same ? rad_recv: Access-Request packet from host 172.17.3.210 port 1645, id=197, length=82 NAS-IP-Address = 172.17.3.210 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "vijay.singh" Calling-Station-Id = "172.17.27.9" User-Password = "Password" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "vijay.singh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] Entering ldap_groupcmp() [files] expand: OU=Servers,dc=kochar,dc=com -> OU=Servers,dc=kochar,dc=com [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] ... expanding second conditional [files] expand: %{User-Name} -> vijay.singh [files] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=vijay.singh)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.17.3.223:389, authentication 0 [ldap] bind as CN=ADS Admin,OU=Servers,DC=kochar,DC=com/Password to 172.17.3.223:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter (&(sAMAccountName=vijay.singh)) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter (&(cn=CiscoAdminLr)(|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Vijay Singh,OU=Servers,DC=kochar,DC=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for vijay.singh [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> vijay.singh [ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=vijay.singh)) [ldap] expand: OU=Servers,dc=kochar,dc=com -> OU=Servers,dc=kochar,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Servers,dc=kochar,dc=com, with filter (&(sAMAccountName=vijay.singh)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user vijay.singh authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "vijay.singh" with password "Password" [ldap] user DN: CN=Vijay Singh,OU=Servers,DC=kochar,DC=com [ldap] (re)connect to 172.17.3.223:389, authentication 1 [ldap] bind as CN=Vijay Singh,OU=Servers,DC=kochar,DC=com/Password to 172.17.3.223:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user vijay.singh authenticated succesfully ++[ldap] returns ok expand: Host %n% -> Host 172.17.3.210% Login OK: [vijay.singh] (from client Kipl Asr Network port 1 cli 172.17.27.9) Host 172.17.3.210% # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 197 to 172.17.3.210 port 1645 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 197 with timestamp +27 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Not-working-properly-tp4593327p... Sent from the FreeRadius - User mailing list archive at Nabble.com.
vijaysingh wrote:
I have started Radius with radiusd -X After entering user name and password in cisco device it is giving "% Authorization failed." immediatley.
The logs are as following. I don't know is it stripping cisco-avpair before the RADIUS accept packet are sent to device. How to check the same ?
Maybe *read* the debug log? Or post the output here: http://networkradius.com/freeradius.html
[ldap] performing search in CN=Vijay Singh,OU=Servers,DC=kochar,DC=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop
What does that mean to you? Alan DeKok.
Got it, Actually I was givining wrong parameter in /etc/raddb/modules/ldap Changed the parameter as following, now it is working fine. groupmembership_attribute = memberOf Thanks for your support. Vijay. -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Not-working-properly-tp4593327p... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (4)
-
Alan Buxey -
Alan DeKok -
Phil Mayers -
vijaysingh