FreeRadius cannot Authenticate to Windows AD
Michael Calizo
mike.calizo at gmail.com
Fri Dec 16 07:25:09 CET 2005
Hi,
Same thing has happened, I still can not authenticate to WindowsAD. Same
Error is displayed when i debug radiusd....
I put quotes arround password..
radtest user 'mypass' 192.168.1.1:1812 1812 testing123
or
radtest user 'mypass' 192.168.1.1:1812 1812 testing123
What do you think is the problem?
On 12/16/05, Alhagie Puye <APuye at datawave.com> wrote:
>
> Put quotes around the password....one thing I learned. That will take you
> further.
>
> I have a working config. So, please let me know if you are still running
> into problems.
>
> P.S.
> I will be posting a doc on the wiki once I'm done with testing.
>
>
> Alhagie Puye - Network Engineer
> Datawave Group of Companies
> (604)295-1817
>
>
> ------------------------------
> *From:* freeradius-users-bounces at lists.freeradius.org [mailto:
> freeradius-users-bounces at lists.freeradius.org] *On Behalf Of *Michael
> Calizo
> *Sent:* December 15, 2005 8:26 PM
> *To:* Freeradius-Users at lists.freeradius.org
> *Subject:* FreeRadius cannot Authenticate to Windows AD
>
> Hi Guru's,
>
>
> I have installed freeradius and used each LDAP module to authenticate to
> WINDOWS 2003 AD. The problem is it cant do the authentication, seems that i
> missed the radius.conf LDAP module configuration which causes the LDAP
> module to failed when connecting to MSAD. Below is my radius.conf config
> file.
>
>
> Hoping that you guys can help me, coz i have been googling all day for
> this config and i can not make this thing work... Thnx in advance..
>
> radius.conf:
>
> ldap {
> server = "oberon.chikka.ph"
> # identity = "cn=admin,o=My Org,c=UA"
> identity = "cn=backops,cn=Admin,dc=chikka,dc=ph"
> password = _bant at 3a-@n
> # password = mypass
> basedn = "dc=chikka,dc=ph"
> # filter =
> "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
> #filter = "(SamAccountName=%U)"
> #filter = "(SamAccountName=%u)"
> # base_filter = "(objectclass=radiusprofile)"
> base_filter =
> "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=Admin,DC=chikka,DC=ph))"
> filter =
> "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
>
> # set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> # The StartTLS operation is supposed to be used with
> normal
> # ldap connections instead of using ldaps (port 689)
> connections
> start_tls = no
>
> # tls_cacertfile = /path/to/cacert.pem
> # tls_cacertdir = /path/to/ca/dir/
> # tls_certfile = /path/to/radius.crt
> # tls_keyfile = /path/to/radius.key
> # tls_randfile = /path/to/rnd
> # tls_require_cert = "demand"
>
> # default_profile = "cn=radprofile,ou=dialup,o=My
> Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> access_attr = "dialupAccess"
>
> ictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 5
>
> #
> # NOTICE: The password_header directive is NOT case
> insensitive
> #
> # password_header = "{clear}"
> #
> # The server can usually figure this out on its own, and
> pull
> # the correct User-Password or NT-Password from the
> database.
> #
> # Note that NT-Passwords MUST be stored as a 32-digit hex
> # string, and MUST start off with "0x", such as:
> #
> # 0x000102030405060708090a0b0c0d0e0f
> #
> # Without the leading "0x", NT-Passwords will not work.
> # This goes for NT-Passwords stored in SQL, too.
> #
> # password_attribute = userPassword
> groupname_attribute = cn
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> groupmembership_attribute = memberOf
> timeout = 4
> timelimit = 3
> net_timeout = 1
> # compare_check_items = yes
> # do_xlat = yes
> # access_attr_used_for_allow = yes
> }
>
>
> Here is my the radiusd -X -A LOG...
>
> rad_recv: Access-Request packet from host 192.168.1.13:37146, id=42,
> length=59
> User-Name = "myaccount"
> User-Password = "mypass"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 1812
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "myaccount", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type ldap
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "myaccount" with password "mypass"
> radius_xlat: '(&(sAMAccountName=myaccount)'
> radius_xlat: 'dc=domain,dc=com'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0
> rlm_ldap: bind as cn=backops,cn=Admin,dc=domain,dc=com/passofbackops to
> 192.168.1.1:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: LDAP login failed: check identity, password settings in ldap
> section of radiusd.conf
> rlm_ldap: (re)connection attempt failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authenticate]: module "ldap" returns fail for request 0
> modcall: group Auth-Type returns fail for request 0
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 42 to 192.168.1.13:37146
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 42 with timestamp 43a23bb5
> Nothing to do. Sleeping until we see a request.
>
>
> --
> Mike Calizo
> Registered Linux User # 365113
>
> _________________________________________________
> Even the longest journey has to start with a small first-step
>
>
> This message (including any attachments) is confidential, may be
> privileged and is only intended for the person to whom it is addressed. If
> you have received it by mistake please notify the sender by return e-mail
> and delete this message from your system. Any unauthorized use or
> dissemination of this message in whole or in part is strictly prohibited.
> E-mail communications are inherently vulnerable to interception by
> unauthorized parties and are susceptible to change. We will use alternate
> communication means upon request.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
Mike Calizo
Registered Linux User # 365113
_________________________________________________
Even the longest journey has to start with a small first-step
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051216/338f4200/attachment.html>
More information about the Freeradius-Users
mailing list