Get AD Profile

Nelson Vale nelsonduvall at
Sat Jul 12 22:58:03 CEST 2008

Hi all,

I have my freeradius deploy (2.0.2) configured to authenticate users against
Active Directory and that is working fine. But I want to retrieve user's
profile from Active Directory, to add VLAN ID (Tunel-Private-Group-ID) to
Access-Accept reply.

I really don't know how to do this and I could find a clear solution, either
in documentation (rlm_ldap) ot by googling. So I would appreciate if someone
could give me a hand on this.

What I've done so far is to add this entry to ldap.attrmap file: "replyItem
radiusProfileDn memberOf". The profile I want to retrieve is the CN in this
object like "cn=PROFILE,dc=domain,dc=com", but in radius debug I'm getting
this error:

++[ntdomain] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for figo
        expand: %{Stripped-User-Name} -> figo
(sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) ->
        expand: dc=ldaptest,dc=pt -> dc=ldaptest,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldaptest,dc=com, with filter
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Failed to create the pair: Invalid octet string
"CN=grupo1,DC=ldaptest,DC=com" for attribute name "radiusProfileDn"
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
rlm_ldap: user figo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
  rlm_eap: EAP packet type response id 8 length 80
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[mschap] returns noop
        expand: %{Stripped-User-Name} -> figo
        expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -> figo
++[files] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Success
  Using saved attributes from the original Access-Accept
  rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [LDAPTEST.COM\\figo/<via Auth-Type = EAP>] (from client portatil
port 0 cli 02-00-00-00-00-01)
Sending Access-Accept of id 17 to port 33000
        User-Name = "figo"
        MS-MPPE-Recv-Key =
        MS-MPPE-Send-Key =
        EAP-Message = 0x03080004
        Message-Authenticator = 0x00000000000000000000000000000000

Is this the way I to achieve or I want or am I completely  wrong?


Nelson Vale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list