Freeradius How to integrate Active Directory[ADIntegrationWindowsXP NTLM Tutorial]

Alhagie Puye APuye at datawave.com
Sat Nov 26 19:47:48 CET 2005


Thanks Dusty. That's very helpful.

I have one little problem. I was hoping someone can shed some light on
it.

For the Active Directory security, I need to specify the username as
"Domain\user" instead of just "user" for the identity in radiusd.conf

"user at domain.com" doesn't seem to work.

Here is the output:

rad_recv: Access-Request packet from host 192.168.42.1:50667, id=146,
length=57
        User-Name = "user"
        User-Password = "password"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "apuye", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 4
    users: Matched entry DEFAULT at line 153
  modcall[authorize]: module "files" returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for apuye
radius_xlat:  '(uid=apuye)'
radius_xlat:  'dc=ad,dc=puyenet,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to orion.puyenet.com:389, authentication 0
rlm_ldap: bind as
cn=apuye at ad.puyenet.com,ou=users,dc=ad,dc=puyenet,dc=com/password to
orion.puyenet.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: LDAP login failed: check identity, password settings in ldap
section of radiusd.conf
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns fail for request 4
modcall: group authorize returns fail for request 4
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 146 with timestamp 4388ab87
Nothing to do.  Sleeping until we see a request.

The radiusd.conf file looks like this for the ldap section:
ldap {
                server = "orion.puyenet.com"              
                # identity = "cn=admin,o=My Org,c=UA"
                 identity =
"cn=apuye at ad.puyenet.com,ou=users,dc=ad,dc=puyenet,dc=com"
                 password = password
                #basedn = "o=My Org,c=UA"
                basedn = "dc=ad,dc=puyenet,dc=com"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                # base_filter = "(objectclass=radiusprofile)"


Thanks in advance.

Alhagie Puye - Network Engineer
Datawave Group of Companies
(604)295-1817  

> >-----Original Message-----
> >From: freeradius-users-bounces at lists.freeradius.org 
> >[mailto:freeradius-users-bounces at lists.freeradius.org] On 
> >Behalf Of Dusty Doris
> >Sent: November 25, 2005 9:43 AM
> >To: FreeRadius users mailing list
> >Subject: RE: Freeradius How to integrate Active 
> >Directory[ADIntegrationWindowsXP NTLM Tutorial] 
> >
> >
> >> So, the question again is if the VPN Concentrator is only sending 
> >> username and password, do I need ntml_auth or ms-chap? FreeRADIUS 
> >> doesn't have any usernames and password and will query Active 
> >> Directory for the actual authentication.
> >>
> >> Thanks,
> >>
> >
> >If the packet is merely containing plaintext username and 
> >password, then you can probably just use rlm_ldap against AD 
> >and hit it directly.  Just need to setup a user with read 
> >access to the directory to do the initial bind with and 
> >search of the user for authorization.  Then the user will be 
> >authenticated by doing a bind against AD with the 
> >username/password in the packet.
> >
> >BTW - I use freeradius w/ ldap for cisco VPN concentrators 
> >as well, although its openldap instead of AD.  To pass back 
> >the class attribute, you must modify ldap.attrmap and 
> >specify the reply item of Class to match what you call it in 
> >the directory.
> >
> >eg:
> >
> >replyItem	Class	radiusClass
> >
> >Then in the directory, you have
> >
> >dn: cn=someuser,...
> >...
> >radiusClass: "OU=myvpngroup;"
> >
> >So, for AD, you'll need to extend the schema and add an 
> >attribute for this.  Or if you already have something that 
> >you can use, just modify ldap.attrmap to know what it is.
> >
> >-Dusty Doris
> >-
> >List info/subscribe/unsubscribe? See 
> >http://www.freeradius.org/list/users.html
> >


Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed.  If you have received it by mistake please notify the sender by return e-mail and delete this message from your system.  Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited.  E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change.  We will use alternate communication means upon request.




More information about the Freeradius-Users mailing list