FreeRadius cannot Authenticate to Windows AD

Alhagie Puye APuye at datawave.com
Fri Dec 16 07:01:10 CET 2005 

Put quotes around the password....one thing I learned. That will take
you further.
 
I have a working config. So, please let me know if you are still running
into problems.
 
P.S.
I will be posting a doc on the wiki once I'm done with testing.
 

Alhagie Puye - Network Engineer
Datawave Group of Companies
(604)295-1817 

 


________________________________

	From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
Michael Calizo
	Sent: December 15, 2005 8:26 PM
	To: Freeradius-Users at lists.freeradius.org
	Subject: FreeRadius cannot Authenticate to Windows AD
	
	
	Hi Guru's,
	
	
	I have installed freeradius and used each LDAP module to
authenticate to WINDOWS 2003 AD. The problem is it cant do the
authentication, seems that i missed the radius.conf LDAP module
configuration which causes the LDAP module to  failed when connecting to
MSAD. Below is my radius.conf config file.
	
	
	Hoping that you guys can help me, coz i have been googling all
day for this config and i can not make this thing work... Thnx  in
advance.. 
	
	radius.conf:
	
	ldap {
	                server = "oberon.chikka.ph"
	                # identity = "cn=admin,o=My Org,c=UA"
	                 identity =
"cn=backops,cn=Admin,dc=chikka,dc=ph"
	                 password = _bant at 3a-@n
	                # password = mypass
	                basedn = "dc=chikka,dc=ph"
	                #       filter =
"(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
	                #filter = "(SamAccountName=%U)"
	                #filter = "(SamAccountName=%u)"
	                # base_filter = "(objectclass=radiusprofile)"
	                base_filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=Admin,D
C=chikka,DC=ph))"
	                filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
	
	                # set this to 'yes' to use TLS encrypted
connections
	                # to the LDAP database by using the StartTLS
extended
	                # operation.
	                # The StartTLS operation is supposed to be used
with normal
	                # ldap connections instead of using ldaps (port
689) connections
	                start_tls = no
	
	                # tls_cacertfile        = /path/to/cacert.pem
	                # tls_cacertdir         = /path/to/ca/dir/
	                # tls_certfile          = /path/to/radius.crt
	                # tls_keyfile           = /path/to/radius.key
	                # tls_randfile          = /path/to/rnd
	                # tls_require_cert      = "demand"
	
	                # default_profile =
"cn=radprofile,ou=dialup,o=My Org,c=UA"
	                # profile_attribute = "radiusProfileDn"
	                access_attr = "dialupAccess"
	
	ictionary_mapping = ${raddbdir}/ldap.attrmap
	
	                ldap_connections_number = 5
	
	                #
	                # NOTICE: The password_header directive is NOT
case insensitive
	                #
	                # password_header = "{clear}"
	                #
	                #  The server can usually figure this out on its
own, and pull
	                #  the correct User-Password or NT-Password from
the database.
	                #
	                #  Note that NT-Passwords MUST be stored as a
32-digit hex
	                #  string, and MUST start off with "0x", such
as:
	                #
	                #       0x000102030405060708090a0b0c0d0e0f
	                #
	                #  Without the leading "0x", NT-Passwords will
not work.
	                #  This goes for NT-Passwords stored in SQL,
too.
	                #
	                # password_attribute = userPassword
	                 groupname_attribute = cn
	                 groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
	                 groupmembership_attribute = memberOf
	                timeout = 4
	                timelimit = 3
	                net_timeout = 1
	                # compare_check_items = yes
	                # do_xlat = yes
	                # access_attr_used_for_allow = yes
	        }
	
	
	Here is my the radiusd -X  -A LOG...
	
	rad_recv: Access-Request packet from host 192.168.1.13:37146,
id=42, length=59
	        User-Name = "myaccount"
	        User-Password = "mypass"
	        NAS-IP-Address = 255.255.255.255
	        NAS-Port = 1812
	  Processing the authorize section of radiusd.conf
	modcall: entering group authorize for request 0
	  modcall[authorize]: module "preprocess" returns ok for request
0
	  modcall[authorize]: module "chap" returns noop for request 0
	  modcall[authorize]: module "mschap" returns noop for request 0
	    rlm_realm: No '@' in User-Name = "myaccount", looking up
realm NULL
	    rlm_realm: No such realm "NULL"
	  modcall[authorize]: module "suffix" returns noop for request 0
	  rlm_eap: No EAP-Message, not doing EAP
	  modcall[authorize]: module "eap" returns noop for request 0
	    users: Matched DEFAULT at 152
	  modcall[authorize]: module "files" returns ok for request 0
	modcall: group authorize returns ok for request 0
	  rad_check_password:  Found Auth-Type ldap
	auth: type "LDAP"
	  Processing the authenticate section of radiusd.conf
	modcall: entering group Auth-Type for request 0
	rlm_ldap: - authenticate
	rlm_ldap: login attempt by "myaccount" with password "mypass"
	radius_xlat:  '(&(sAMAccountName=myaccount)'
	radius_xlat:  'dc=domain,dc=com'
	rlm_ldap: ldap_get_conn: Checking Id: 0
	rlm_ldap: ldap_get_conn: Got Id: 0
	rlm_ldap: attempting LDAP reconnection
	rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0
	rlm_ldap: bind as
cn=backops,cn=Admin,dc=domain,dc=com/passofbackops to 192.168.1.1:389
	rlm_ldap: waiting for bind result ...
	rlm_ldap: LDAP login failed: check identity, password settings
in ldap section of radiusd.conf
	rlm_ldap: (re)connection attempt failed
	rlm_ldap: ldap_release_conn: Release Id: 0
	  modcall[authenticate]: module "ldap" returns fail for request
0
	modcall: group Auth-Type returns fail for request 0
	auth: Failed to validate the user.
	Delaying request 0 for 1 seconds
	Finished request 0
	Going to the next request
	--- Walking the entire request list ---
	Waking up in 1 seconds...
	--- Walking the entire request list ---
	Sending Access-Reject of id 42 to 192.168.1.13:37146
	Waking up in 4 seconds...
	--- Walking the entire request list ---
	Cleaning up request 0 ID 42 with timestamp 43a23bb5
	Nothing to do.  Sleeping until we see a request.
	
	
	-- 
	Mike Calizo
	Registered Linux User # 365113
	
	_________________________________________________
	Even the longest journey has to start with a small first-step
	




This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed.  If you have received it by mistake please notify the sender by return e-mail and delete this message from your system.  Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited.  E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change.  We will use alternate communication means upon request.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051216/8d3f6586/attachment.html>

More information about the Freeradius-Users mailing list