freeradius not working with AD
I'm trying to configure freeradius to authenticate against AD for wireless users. Attached the entire log message for reference. I was able to narrow down the issue but could not fix it, can someone help me here. User-Name = "<domain\username>" NAS-IP-Address = 10.20.0.253 Called-Station-Id = "0014bf72d6be" Calling-Station-Id = "0014a526c319" NAS-Identifier = "0014bf72d6be" NAS-Port = 60 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001301434f52505c6b6172747468696b72 Message-Authenticator = 0xbb9d83dd419b80f599579697d6b70bcd +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "<domain\username>", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "<domain\username>" rlm_realm: No such realm "DOMAIN" ++[ntdomain] returns noop ++[expiration] returns noop ++[logintime] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [<domain\\username>/<no User-Password attribute>] (from client <stripped> port 60 cli 0014a526c319) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> <domain\username> attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +55 Ready to process requests.
Karthik R wrote:
I'm trying to configure freeradius to authenticate against AD for wireless users. Attached the entire log message for reference.
I was able to narrow down the issue but could not fix it, can someone help me here.
You edited the default configuration and broke it. DON'T DO THAT. The default configuration WORKS for wireless users. Add a user as per the FAQ, uncheck "validate server certificate" on the wireless client, and wireless authentication WILL WORK. Then, configure the MSCHAP module, and Samba. See my web site for detailed instructions.: http://deployingradius.com Alan DeKok.
Alan, I reconfigured freeradius from scratch and when generated the ca.der certificate it generates the certificate valid for only 30 days. The default days mentioned in ca.cnf has been modified to 730 days, but still no luck. Additionally modified openssl.cnf too for 730 days. default_days = 730 default_crl_days = 30 Pls let me know if this validity matters ? On 5/19/08, Alan DeKok <aland@deployingradius.com> wrote:
Karthik R wrote:
I'm trying to configure freeradius to authenticate against AD for wireless users. Attached the entire log message for reference.
I was able to narrow down the issue but could not fix it, can someone help me here.
You edited the default configuration and broke it.
DON'T DO THAT.
The default configuration WORKS for wireless users. Add a user as per the FAQ, uncheck "validate server certificate" on the wireless client, and wireless authentication WILL WORK.
Then, configure the MSCHAP module, and Samba. See my web site for detailed instructions.: http://deployingradius.com
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards, Kartthik R --------------------------------------------------------- Success is a journey, Not a destination.
All, I'm trying to configure freeradius to authenticate wireless users against AD. Initially i generated the ssl certificate it had only 30 days validity period, so modified the openssl command to include -days 730. I followed the steps as mentioned in http://deployingradius.com/ and installation document still not working. I'm able to succeed with standalone ntlm_auth command and see the lists from AD using wbinfo -u and wbinfo -g. Attached the log message. Still i dont see ntlm_auth getting trigged for user authentication and unable to authenticate the users against AD. can someone throw some light here. snip => (other): before/accept initialization TLS_accept: before/accept initialization TLS_accept: SSLv3 read client hello A TLS_accept: SSLv3 write server hello A TLS_accept: SSLv3 write certificate A TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data *TLS_accept: Need to read more data: SSLv3 read client certificate A (Is there any wrong with this message ?)* thanks, Kartthik
participants (2)
-
Alan DeKok -
Karthik R