Issues authenticating vs 2003 AD

Tim P panterafreak at gmail.com
Thu Aug 18 20:07:53 CEST 2005 

Ok using these settings it seems to authenticate with radtest
> Radius.conf
>         ldap {
>                 server = "domcon.company.org"
>                 basedn = "dc=company,dc=org"
>                 filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
>                 password_attribute = "userPassword"
>                 identity = "cn=administrator,cn=Users,dc=company,dc=org"
>                 password = password

[root at redguard ~]# radtest user userpass localhost:1812 1 radiussecret
Sending Access-Request of id 201 to 127.0.0.1:1812
        User-Name = "user"
        User-Password = "userpass"
        NAS-IP-Address = redguard.company.net
        NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=201, length=20

And the output of radius -X -A shows
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tporritt
radius_xlat:  '(sAMAccountName=tporritt)'
radius_xlat:  'dc=gtdsolutions,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=gtdsolutions,dc=org, with filter
(sAMAccountName=tporritt)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tporritt authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns ok for request 1
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "tporritt" with password "pantera"
rlm_ldap: user DN: CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org
rlm_ldap: (re)connect to gtds-domcon.gtdsolutions.org:389, authentication 1
rlm_ldap: bind as CN=Tim
Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to
gtds-domcon.gtdsolutions.org:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user tporritt authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 1
modcall: group Auth-Type returns ok for request 1
Sending Access-Accept of id 201 to 127.0.0.1:32770
Finished request 1


These two look to me like they authenticated the user successfully.  

I have l2tp handling authentication which puts it to pppd
In /etc/ppp/options.l2tpd  I have

# added for radius auth with radius
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
lcp-echo-failure 30
lcp-echo-interval 5
plugin radius.so


Is it possible that this will work?

I tried using ntlm_auth with no luck from pppd as it gave me 

Aug 18 10:13:56 redguard pppd[2260]: WINBIND plugin initialized.
Aug 18 10:13:56 redguard pppd[2260]: In file /etc/ppp/options.l2tpd:
unrecognized option '--helper-protocol=ntlm-server-1'

The line I had was 
# winbind auth
plugin winbind.so
ntlm_auth-helper /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1


Just looking for a way (and preferably and example) of the
authentication vs AD since I don't seem to understand how to do it.  I
have looked in radius.conf and enabled the ntlm authentication but it
seems to insist upon using chap and not mschap-v2, is there a
difference?  It still complains about the "no cleartext password"

an example would be greatly apprecated!

Thanks
Tim

More information about the Freeradius-Users mailing list