FreeRADIUS->Active Directory

Tue Nov 29 00:44:14 CET 2005

Hello all,

I am still running into problems with this setup. I have made some
progress though.

First off, my setup is:

SSL VPN Client -> Cisco VPN Concentrator -> FreeRadius -> Active
Directory

I can query Active with the ldapsearch tool.

waggawagga raddb # ldapsearch -h w.x.y.z -x -b 'ou=information
technology,ou=datawave users,dc=corp,dc=van,dc=dwave'
'(samaccountname=apuye)' -D apuye at corp.van.dwave -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=information technology,ou=datawave
users,dc=corp,dc=van,dc=dwave> with scope sub
# filter: (samaccountname=apuye)
# requesting: ALL
#

# Alhagie Puye, Information Technology, DataWave Users, corp.van.dwave
dn: CN=Alhagie Puye,OU=Information Technology,OU=Datawave
Users,DC=corp,DC=van
 ,DC=dwave
memberOf: CN=itops-folder,OU=SHARED FOLDERS,OU=DataWave
Users,DC=corp,DC=van,D
 C=dwave
memberOf: CN=rptpcps,OU=DataWave Users,DC=corp,DC=van,DC=dwave
memberOf: CN=itops,OU=Information Technology,OU=DataWave
Users,DC=corp,DC=van,
 DC=dwave
memberOf: CN=datawave,OU=DataWave Users,DC=corp,DC=van,DC=dwave
accountExpires: 9223372036854775807
badPasswordTime: 127775870835283171
badPwdCount: 0
codePage: 0
cn: Alhagie Puye
countryCode: 0
description: IT Operations
displayName: Alhagie Puye
givenName: Alhagie
homeDirectory: \\server\apuye
homeDrive: H:
instanceType: 4
lastLogoff: 0
lastLogon: 127776922250294313
logonCount: 173
msNPAllowDialin: TRUE
distinguishedName: CN=Alhagie Puye,OU=Information Technology,OU=DataWave
Users
 ,DC=corp,DC=van,DC=dwave
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=van,DC=dwave
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectGUID:: oO1UkRu8RkScNIOHmaB/qw==
objectSid:: AQUAAAAAAAUVAAAAzSmuLihcKk12fipaZwkAAA==
primaryGroupID: 513
profilePath: \\\server1\apuye
pwdLastSet: 127771529310887572
name: Alhagie Puye
sAMAccountName: apuye
sAMAccountType: 805306368
sn: Puye
userAccountControl: 512
userParameters::
bTogICAgICAgICAgICAgICAgICAgIGQJICAgICAgICAgICAgICAgICAgICAgI

CAgUBAaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm4
6Cy44

C5FggBQ3R4Q2FsbGJhY2vjgLDjgLDjgLDjgLASCAFDdHhTaGFkb3fjhLDjgLDjgLDjgLAoCA
FDdHh

NYXhDb25uZWN0aW9uVGltZeOAsOOAsOOAsOOAsC4IAUN0eE1heERpc2Nvbm5lY3Rpb25UaW1
l44Cw

44Cw44Cw44CwHAgBQ3R4TWF4SWRsZVRpbWXjgLDjgLDjgLDjgLAiCAFDdHhLZXlib2FyZExh
eW91d

OOAsOOAsOOAsOOAsCoCAUN0eE1pbkVuY3J5cHRpb25MZXZlbOOEsCACAUN0eFdvcmtEaXJlY
3Rvcn

njgLAgAgFDdHhOV0xvZ29uU2VydmVy44CwGAIBQ3R4V0ZIb21lRGly44CwIgIBQ3R4V0ZIb2
1lRGl

yRHJpdmXjgLAgAgFDdHhXRlByb2ZpbGVQYXRo44CwIgIBQ3R4SW5pdGlhbFByb2dyYW3jgLA
iAgFD
 dHhDYWxsYmFja051bWJlcuOAsA==
userPrincipalName: apuye at corp.van.dwave
uSNChanged: 7588047
uSNCreated: 5713011
whenChanged: 20051122170851.0Z
whenCreated: 20050902184213.0Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
waggawagga raddb # 

When I run:
Server# radtest apuye password localhost 1 testing123

I get:
rad_recv: Access-Request packet from host 127.0.0.1:49732, id=181,
length=57
        User-Name = "apuye"
        User-Password = "password"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "apuye", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for apuye
radius_xlat:  '(sAMAccountName=apuye)'
radius_xlat:  'ou=Information Technology,ou=DataWave
Users,dc=corp,dc=van,dc=dwave'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to huckster.corp.van.dwave:389, authentication 0
rlm_ldap: bind as cn=apuye,ou=Information Technology,ou=DataWave
Users,DC=corp,DC=van,DC=dwave/ to w2kserver.corp.van.dwave:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=Information Technology,ou=DataWave
Users,dc=corp,dc=van,dc=dwave, with filter (sAMAccountName=apuye)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0

My radiusd.conf file looks like this:

 ldap {
                server = "w2kserver.corp.van.dwave"
                # identity = "cn=admin,o=My Org,c=UA"
                 identity = "cn=apuye,ou=Information
Technology,ou=DataWave Users,DC=corp,DC=van,DC=dwave"
                # password = mypass
                 password_attribute = "password"
                #basedn= "DC=corp,DC=van,DC=dwave"
                basedn = "ou=Information Technology,ou=DataWave
Users,dc=corp,dc=van,dc=dwave"
                #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
                #filter = "(SamAccountName=%U)"
                # base_filter = "(objectclass=radiusprofile)"

Any help is greatly appreciated.

Does anyone want to share a working ldap section to Active Directory?

Thanks in advance

Alhagie Puye - Network Engineer
Datawave Group of Companies
(604)295-1817 

Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed.  If you have received it by mistake please notify the sender by return e-mail and delete this message from your system.  Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited.  E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change.  We will use alternate communication means upon request.