I'm trying to get Freeradius configured to authenicate our vpn users from a Cisco 3005 concentrator against Active Directory using the ldap module. When I authenicated a vpn user on a per user basis - it works fine. However, I want authenicate not only the user, but also verify that the user is a member of a "group" in active directory. I was following Dustin Doris's suggestion on Per-Client "group" matching and configured the huntgroups, users, and radiusd.conf accordingly. However, it seems to fail doing a group lookup. I don't know if it matters, but the user object and group object in Active Directory are in different containers (OU's). Any help would be appreciated. Thanks Robert Graham ########## Debug out: ########## rad_recv: Access-Request packet from host 172.16.1.91:1054, id=40, length=119 User-Name = "rgraham" User-Password = "XXXXXXXXXX" NAS-Port = 1036 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "192.168.15.1" Calling-Station-Id = "192.168.15.2" Tunnel-Client-Endpoint:0 = "192.168.15.2" NAS-IP-Address = 172.16.1.91 NAS-Port-Type = Virtual rad_lowerpair: User-Name now 'rgraham' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for rgraham radius_xlat: '(sAMAccountName=rgraham)' radius_xlat: 'ou=mem users,dc=mem-ins,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to mem_co_dept1.mem-ins.com:389, authentication 0 rlm_ldap: bind as cn=administrator,ou=admin,ou=mem users,dc=mem-ins,dc=com/XXXXXXXXXX to mem_co_dept1.mem-ins.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=mem users,dc=mem-ins,dc=com, with filter (sAMAccountName=rgraham) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user rgraham authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "rgraham", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=mem users,dc=mem-ins,dc=com' radius_xlat: '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mem users,dc=mem-ins,dc=com, with filter (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a member. users: Matched DEFAULT at 166 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 40 to 172.16.1.91:1054 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 40 with timestamp 42b1c93a Nothing to do. Sleeping until we see a request. ############ Users file: ############ DEFAULT Huntgroup-Name == vpnusers, LDAP-Group == MEMVPNFlex, Auth-Type := LDAP OU = TestGroup Fall-Through = 1 ############ huntgroup ############ vpnusers NAS-IP-Address == 172.16.1.91 ####################### ldap section of radiusd.conf ####################### ldap { server = "mem_co_dept1.mem-ins.com" basedn = "ou=mem users,dc=mem-ins,dc=com" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" identity = "cn=administrator,ou=admin,ou=mem users,dc=mem-ins,dc=com" password = XXXXXXXXXX start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 }
I'm trying to get Freeradius configured to authenicate our vpn users from a Cisco 3005 concentrator against Active Directory using the ldap module. When I authenicated a vpn user on a per user basis - it works fine. However, I want authenicate not only the user, but also verify that the user is a member of a "group" in active directory. I was following Dustin Doris's suggestion on Per-Client "group" matching and configured the huntgroups, users, and radiusd.conf accordingly. However, it seems to fail doing a group lookup. I don't know if it matters, but the user object and group object in Active Directory are in different containers (OU's). Any help would be appreciated.
You need to specify where the groups are located in AD.
rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=mem users,dc=mem-ins,dc=com' radius_xlat: '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mem users,dc=mem-ins,dc=com, with filter (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a member. users: Matched DEFAULT at 166
The user was not found in that group, based on the lookup above.
groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn})) (&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName
You have to modify these so you can find the group memberships. For example, how would you perform an ldapsearch from the command line to find group memberships? Take that info and put it there. Make sure the user you are binding with has access to read those groups. Hope that is a little helpful.
participants (2)
-
Dustin Doris -
Graham, Robert