Hi! Experts Sorry for disturbing, I try to use LDAP as FreeRADIUS backend DB to authentication Windows2008 domain users but the POC test is failed, do you have experience on this and could shed some light on it? Thanks for your support. My FreeRADIUS LDAP related configuration listed below: more /etc/raddb/modules/ldap â¦... ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "192.168.254.102" identity = "cn=Administrator,cn=Users,dc=ms,dc=local" password = "1qaz!QAZ" basedn = "dc=ms,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 20 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 20 â¦â¦ And my radiusd -X output as below, you could see there is Access-Reject messages sent to NAS. rad_recv: Access-Request packet from host 192.168.253.254 port 49603, id=77, length=253 NAS-IP-Address = 192.168.253.254 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "lab" Service-Type = Login-User Calling-Station-Id = "F437B7011933" Called-Station-Id = "000B86999D57" MS-CHAP-Challenge = 0xbd38014db9614219e63be5946a2e5e37 MS-CHAP2-Response = 0x09001650f03ffa8a6d6ce04f76d60a8cf4c900000000000000008be9d324ae40a1063 66c1ee86933dacd17bf520297182190 Aruba-Essid-Name = "microshield-lab" Aruba-Location-Id = "lab-AP-1" Aruba-Attr-10 = 0x6d6963726f736869656c642d6c6162 Aruba-Attr-12 = 0x6950686f6e65 Message-Authenticator = 0x530723b754043a3c9ff8cdc151e2ed87 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "lab", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ldap] performing user authorization for lab [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> lab [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=lab) [ldap] expand: dc=ms,dc=local -> dc=ms,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=ms,dc=local, with filter (sAMAccountName=lab) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user lab authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [sql] expand: %{User-Name} -> lab [sql] sql_set_user escaped user --> 'lab' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'lab', '', 'Access-Reject', '2015-05-18 13:53:47') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'lab', '', 'Access-Reject', '2015-05-18 13:53:47') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok [attr_filter.access_reject] expand: %{User-Name} -> lab attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 77 to 192.168.253.254 port 49603 Finished request 26. BR! Chen Jiang Microshield Technology Co., Ltd åäº¬å¸æµ·æ·åºè¥¿ä¸ç¯åè·¯50å·è±ªæå¤§å¦C2座18-19å± 100048 (86)10-88518768 (86)18612696123 [1]chenjiang@microshield.com.cn References 1. mailto:chenjiang@microshield.com.cn
Hi,
Sorry for disturbing, I try to use LDAP as FreeRADIUS backend DB to authentication Windows2008 domain users but the POC test is failed, do you have experience on this and could shed some light on it? Thanks for your support.
PEAP authentication? you cant use LDAP to talk to AD to get the required info out - you need to use ntlm_auth alan
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
chenjiang