need help authenticating against AD

Thu Nov 19 23:21:24 CET 2009

Hi,

It doesn't llok like you are using ad authentication
Are you trying to set up ntlm_auth ?

Here is a good description :
http://deployingradius.com/documents/configuration/active_directory.html

Regards
Paul

On Thu, 2009-11-19 at 21:37 +0000, Michael Phillips wrote:
> Hello All,
> 
> I need some help authenticating against AD. I have followed directions
> online as best as I can, but things still aren't working as expected.
> I'm ultimately hoping to have our VPN users and admins logging into
> Cisco network equipment authenticate against AD through our FreeRADIUS
> 2 installation. Today, I have been testing authentication from one of
> Cisco switches, and I continually receive this basic output:
> 
> rad_recv: Access-Request packet from host w.x.y.z port 37611, id=147,
> length=61
>         User-Name = "mphillips"
>         User-Password = "xxxx"
>         NAS-IP-Address = w.x.y.z
>         NAS-Port = 2000
> Thu Nov 19 16:17:34 2009 : Info: +- entering group authorize {...}
> Thu Nov 19 16:17:34 2009 : Info: ++[preprocess] returns ok
> Thu Nov 19 16:17:34 2009 : Info: [suffix] No '@' in User-Name =
> "mphillips", looking up realm NULL
> Thu Nov 19 16:17:34 2009 : Info: [suffix] No such realm "NULL"
> Thu Nov 19 16:17:34 2009 : Info: ++[suffix] returns noop
> Thu Nov 19 16:17:34 2009 : Info: [eap] No EAP-Message, not doing EAP
> Thu Nov 19 16:17:34 2009 : Info: ++[eap] returns noop
> Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated
> Thu Nov 19 16:17:34 2009 : Info: ++[files] returns noop
> Thu Nov 19 16:17:34 2009 : Info: ++[expiration] returns noop
> Thu Nov 19 16:17:34 2009 : Info: ++[logintime] returns noop
> Thu Nov 19 16:17:34 2009 : Info: ++[pap] returns updated
> Thu Nov 19 16:17:34 2009 : Info: Found Auth-Type = PAP
> Thu Nov 19 16:17:34 2009 : Info: +- entering group PAP {...}
> Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password
> "xxxx"
> Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption.
> Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match
> Thu Nov 19 16:17:34 2009 : Info: ++[pap] returns reject
> Thu Nov 19 16:17:34 2009 : Info: Failed to authenticate the user.
> Thu Nov 19 16:17:34 2009 : Auth: Login incorrect (rlm_pap: CRYPT
> password check failed): [mphillips/xxxx] (from client w.x.y.z port
> 2000)
> Thu Nov 19 16:17:34 2009 : Info: Using Post-Auth-Type Reject
> Thu Nov 19 16:17:34 2009 : Info: +- entering group REJECT {..}
> Thu Nov 19 16:17:34 2009 : Info: [attr_filter.access_reject]
> expand: %{User-Name} -> mphillips
> Thu Nov 19 16:17:34 2009 : Debug:  attr_filter: Matched entry DEFAULT
> at line 11
> Thu Nov 19 16:17:34 2009 : Info: ++[attr_filter.access_reject] returns
> updated
> Thu Nov 19 16:17:34 2009 : Info: Delaying reject of request 5 for 1
> seconds
> Thu Nov 19 16:17:34 2009 : Debug: Going to the next request
> Thu Nov 19 16:17:34 2009 : Debug: Waking up in 0.9 seconds.
> Thu Nov 19 16:17:36 2009 : Info: Sending delayed reject for request 5
> Sending Access-Reject of id 147 to w.x.y.z port 37611
> Thu Nov 19 16:17:36 2009 : Debug: Waking up in 4.6 seconds.
> Thu Nov 19 16:17:42 2009 : Info: Cleaning up request 5 ID 147 with
> timestamp +1181
> Thu Nov 19 16:17:42 2009 : Debug: Ready to process requests.
> 
> 
> I can't tell from this output if the RADIUS server is ever even
> attempting to reach AD. Obviously, if I enter the correct password for
> my username on the RADIUS server itself, authentication will succeed,
> but this is not the desired behavior at this time.
> 
> Any help is greatly appreciated.
> 
> Michael Phillips
> 
> 
> 
> ______________________________________________________________________
> Hotmail: Trusted email with Microsoft's powerful SPAM protection. Sign
> up now.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html