FreeRadius cannot Authenticate to Windows AD

Michael Calizo mike.calizo at gmail.com
Fri Dec 16 07:25:09 CET 2005


Hi,

Same thing has happened, I still can not authenticate to WindowsAD. Same
Error is displayed when i debug radiusd....

I put quotes arround password..

radtest user 'mypass' 192.168.1.1:1812 1812 testing123
or
radtest user 'mypass' 192.168.1.1:1812 1812 testing123


What do you think is the problem?

On 12/16/05, Alhagie Puye <APuye at datawave.com> wrote:
>
> Put quotes around the password....one thing I learned. That will take you
> further.
>
> I have a working config. So, please let me know if you are still running
> into problems.
>
> P.S.
> I will be posting a doc on the wiki once I'm done with testing.
>
>
> Alhagie Puye - Network Engineer
> Datawave Group of Companies
> (604)295-1817
>
>
>  ------------------------------
> *From:* freeradius-users-bounces at lists.freeradius.org [mailto:
> freeradius-users-bounces at lists.freeradius.org] *On Behalf Of *Michael
> Calizo
> *Sent:* December 15, 2005 8:26 PM
> *To:* Freeradius-Users at lists.freeradius.org
> *Subject:* FreeRadius cannot Authenticate to Windows AD
>
> Hi Guru's,
>
>
> I have installed freeradius and used each LDAP module to authenticate to
> WINDOWS 2003 AD. The problem is it cant do the authentication, seems that i
> missed the radius.conf LDAP module configuration which causes the LDAP
> module to  failed when connecting to  MSAD. Below is my radius.conf config
> file.
>
>
> Hoping that you guys can help me, coz i have been googling all day for
> this config and i can not make this thing work... Thnx  in advance..
>
> radius.conf:
>
> ldap {
>                 server = "oberon.chikka.ph"
>                 # identity = "cn=admin,o=My Org,c=UA"
>                  identity = "cn=backops,cn=Admin,dc=chikka,dc=ph"
>                  password = _bant at 3a-@n
>                 # password = mypass
>                 basedn = "dc=chikka,dc=ph"
>                 #       filter =
> "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
>                 #filter = "(SamAccountName=%U)"
>                 #filter = "(SamAccountName=%u)"
>                 # base_filter = "(objectclass=radiusprofile)"
>                 base_filter =
> "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=Admin,DC=chikka,DC=ph))"
>                 filter =
> "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
>
>                 # set this to 'yes' to use TLS encrypted connections
>                 # to the LDAP database by using the StartTLS extended
>                 # operation.
>                 # The StartTLS operation is supposed to be used with
> normal
>                 # ldap connections instead of using ldaps (port 689)
> connections
>                 start_tls = no
>
>                 # tls_cacertfile        = /path/to/cacert.pem
>                 # tls_cacertdir         = /path/to/ca/dir/
>                 # tls_certfile          = /path/to/radius.crt
>                 # tls_keyfile           = /path/to/radius.key
>                 # tls_randfile          = /path/to/rnd
>                 # tls_require_cert      = "demand"
>
>                 # default_profile = "cn=radprofile,ou=dialup,o=My
> Org,c=UA"
>                 # profile_attribute = "radiusProfileDn"
>                 access_attr = "dialupAccess"
>
> ictionary_mapping = ${raddbdir}/ldap.attrmap
>
>                 ldap_connections_number = 5
>
>                 #
>                 # NOTICE: The password_header directive is NOT case
> insensitive
>                 #
>                 # password_header = "{clear}"
>                 #
>                 #  The server can usually figure this out on its own, and
> pull
>                 #  the correct User-Password or NT-Password from the
> database.
>                 #
>                 #  Note that NT-Passwords MUST be stored as a 32-digit hex
>                 #  string, and MUST start off with "0x", such as:
>                 #
>                 #       0x000102030405060708090a0b0c0d0e0f
>                 #
>                 #  Without the leading "0x", NT-Passwords will not work.
>                 #  This goes for NT-Passwords stored in SQL, too.
>                 #
>                 # password_attribute = userPassword
>                  groupname_attribute = cn
>                  groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>                  groupmembership_attribute = memberOf
>                 timeout = 4
>                 timelimit = 3
>                 net_timeout = 1
>                 # compare_check_items = yes
>                 # do_xlat = yes
>                 # access_attr_used_for_allow = yes
>         }
>
>
> Here is my the radiusd -X  -A LOG...
>
> rad_recv: Access-Request packet from host 192.168.1.13:37146, id=42,
> length=59
>         User-Name = "myaccount"
>         User-Password = "mypass"
>         NAS-IP-Address = 255.255.255.255
>         NAS-Port = 1812
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
>     rlm_realm: No '@' in User-Name = "myaccount", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 0
>     users: Matched DEFAULT at 152
>   modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns ok for request 0
>   rad_check_password:  Found Auth-Type ldap
> auth: type "LDAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "myaccount" with password "mypass"
> radius_xlat:  '(&(sAMAccountName=myaccount)'
> radius_xlat:  'dc=domain,dc=com'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0
> rlm_ldap: bind as cn=backops,cn=Admin,dc=domain,dc=com/passofbackops to
> 192.168.1.1:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: LDAP login failed: check identity, password settings in ldap
> section of radiusd.conf
> rlm_ldap: (re)connection attempt failed
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authenticate]: module "ldap" returns fail for request 0
> modcall: group Auth-Type returns fail for request 0
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 42 to 192.168.1.13:37146
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 42 with timestamp 43a23bb5
> Nothing to do.  Sleeping until we see a request.
>
>
> --
> Mike Calizo
> Registered Linux User # 365113
>
> _________________________________________________
> Even the longest journey has to start with a small first-step
>
>
> This message (including any attachments) is confidential, may be
> privileged and is only intended for the person to whom it is addressed. If
> you have received it by mistake please notify the sender by return e-mail
> and delete this message from your system. Any unauthorized use or
> dissemination of this message in whole or in part is strictly prohibited.
> E-mail communications are inherently vulnerable to interception by
> unauthorized parties and are susceptible to change. We will use alternate
> communication means upon request.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>


--
Mike Calizo
Registered Linux User # 365113

_________________________________________________
Even the longest journey has to start with a small first-step
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051216/338f4200/attachment.html>


More information about the Freeradius-Users mailing list