need help authenticating against AD

Thu Nov 19 22:37:50 CET 2009

Hello All,

I need some help authenticating against AD. I have followed directions online as best as I can, but things still aren't working as expected. I'm ultimately hoping to have our VPN users and admins logging into Cisco network equipment authenticate against AD through our FreeRADIUS 2 installation. Today, I have been testing authentication from one of Cisco switches, and I continually receive this basic output:

rad_recv: Access-Request packet from host w.x.y.z port 37611, id=147, length=61
        User-Name = "mphillips"
        User-Password = "xxxx"
        NAS-IP-Address = w.x.y.z
        NAS-Port = 2000
Thu Nov 19 16:17:34 2009 : Info: +- entering group authorize {...}
Thu Nov 19 16:17:34 2009 : Info: ++[preprocess] returns ok
Thu Nov 19 16:17:34 2009 : Info: [suffix] No '@' in User-Name = "mphillips", looking up realm NULL
Thu Nov 19 16:17:34 2009 : Info: [suffix] No such realm "NULL"
Thu Nov 19 16:17:34 2009 : Info: ++[suffix] returns noop
Thu Nov 19 16:17:34 2009 : Info: [eap] No EAP-Message, not doing EAP
Thu Nov 19 16:17:34 2009 : Info: ++[eap] returns noop
Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated
Thu Nov 19 16:17:34 2009 : Info: ++[files] returns noop
Thu Nov 19 16:17:34 2009 : Info: ++[expiration] returns noop
Thu Nov 19 16:17:34 2009 : Info: ++[logintime] returns noop
Thu Nov 19 16:17:34 2009 : Info: ++[pap] returns updated
Thu Nov 19 16:17:34 2009 : Info: Found Auth-Type = PAP
Thu Nov 19 16:17:34 2009 : Info: +- entering group PAP {...}
Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password "xxxx"
Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption.
Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match
Thu Nov 19 16:17:34 2009 : Info: ++[pap] returns reject
Thu Nov 19 16:17:34 2009 : Info: Failed to authenticate the user.
Thu Nov 19 16:17:34 2009 : Auth: Login incorrect (rlm_pap: CRYPT password check failed): [mphillips/xxxx] (from client w.x.y.z port 2000)
Thu Nov 19 16:17:34 2009 : Info: Using Post-Auth-Type Reject
Thu Nov 19 16:17:34 2009 : Info: +- entering group REJECT {...}
Thu Nov 19 16:17:34 2009 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> mphillips
Thu Nov 19 16:17:34 2009 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Thu Nov 19 16:17:34 2009 : Info: ++[attr_filter.access_reject] returns updated
Thu Nov 19 16:17:34 2009 : Info: Delaying reject of request 5 for 1 seconds
Thu Nov 19 16:17:34 2009 : Debug: Going to the next request
Thu Nov 19 16:17:34 2009 : Debug: Waking up in 0.9 seconds.
Thu Nov 19 16:17:36 2009 : Info: Sending delayed reject for request 5
Sending Access-Reject of id 147 to w.x.y.z port 37611
Thu Nov 19 16:17:36 2009 : Debug: Waking up in 4.6 seconds.
Thu Nov 19 16:17:42 2009 : Info: Cleaning up request 5 ID 147 with timestamp +1181
Thu Nov 19 16:17:42 2009 : Debug: Ready to process requests.

I can't tell from this output if the RADIUS server is ever even attempting to reach AD. Obviously, if I enter the correct password for my username on the RADIUS server itself, authentication will succeed, but this is not the desired behavior at this time.

Any help is greatly appreciated.

Michael Phillips

_________________________________________________________________
Hotmail: Trusted email with Microsoft's powerful SPAM protection.
http://clk.atdmt.com/GBL/go/177141664/direct/01/
http://clk.atdmt.com/GBL/go/177141664/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091119/c81801b0/attachment.html>