Free radius authentication with AD using ldap

Vikash Gounder Vikash.Gounder at acu.edu.au
Mon Nov 28 22:03:21 CET 2011 

Hi Fajar,

Thanks so much for replying.

The debug log for local test against AD is attached:

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.

rad_recv: Access-Request packet from host 127.0.0.1 port 35067, id=16, length=61
        User-Name = "uldaptest"
        User-Password = "usk.173n!"
        NAS-IP-Address = 192.148.223.54
        NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20111129
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20111129
[auth_log]      expand: %t -> Tue Nov 29 07:54:47 2011
++[auth_log] returns ok
[suffix] No '@' in User-Name = "uldaptest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for uldaptest
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap]  expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=uldaptest))
[ldap]  expand: dc=acu,dc=edu,dc=au -> dc=acu,dc=edu,dc=au
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to acustaff.acu.edu.au:3268, authentication 0
rlm_ldap: bind as cn=Radauth,cn=Users,dc=acustaff,dc=acu,dc=edu,dc=au/9yRD1133 to acustaff.acu.edu.au:3268
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=acu,dc=edu,dc=au, with filter (&(sAMAccountName=uldaptest))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user uldaptest authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "uldaptest" with password "usk.173n!"
[ldap] user DN: CN=Unilinc ldaptest,OU=System Accounts,OU=Generic Accounts,DC=acustaff,DC=acu,DC=edu,DC=au
rlm_ldap: (re)connect to acustaff.acu.edu.au:3268, authentication 1
rlm_ldap: bind as CN=Unilinc ldaptest,OU=System Accounts,OU=Generic Accounts,DC=acustaff,DC=acu,DC=edu,DC=au/usk.173n! to acustaff.acu.edu.au:3268
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user uldaptest authenticated succesfully
++[ldap] returns ok
        expand: Host %n -> Host 192.148.223.54
Login OK: [uldaptest] (from client localhost port 0) Host 192.148.223.54
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 16 to 127.0.0.1 port 35067
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 16 with timestamp +4
Ready to process requests.

And the reply:

[root at panvpufreeradi1 ~]# radtest uldaptest usk.173n! localhost 0 testing123
Sending Access-Request of id 16 to 127.0.0.1 port 1812
        User-Name = "uldaptest"
        User-Password = "usk.173n!"
        NAS-IP-Address = 192.148.223.54
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=16, length=20

On the AD, the user is configured, any extra setting that I need to do on AD which Iam not aware about??

I got a question for you?? If only using for WPA, do I also need to configure samba and use nltm_auth, since this radius device will be used by ipad, netbooks etc etc etc....

Here is the configure for default and inner-tunnel without the comments, I may have done something wrong here:

default
----------------------
authorize {
	preprocess
	auth_log
	suffix
	eap {
		ok = return
	}
	ldap
	expiration
	logintime
	pap
}

authenticate {
	Auth-Type PAP {
		pap
	}

	Auth-Type LDAP {
		ldap
	}
	eap
}


preacct {
	preprocess
	acct_unique
	suffix
	files
}

accounting {
	detail
	unix
	radutmp
	attr_filter.accounting_response
}

session {
	radutmp
}


post-auth {
	exec
	Post-Auth-Type REJECT {
		attr_filter.access_reject
	}
}

pre-proxy {
}

post-proxy {
	#eap
}


------------

Inner tunnel
---------------------

server inner-tunnel {
authorize {
	chap
	mschap
	unix
	suffix
	update control {
	       Proxy-To-Realm := LOCAL
	}
	eap {
		ok = return
	}
	files
	ldap
	expiration
	logintime
	pap
}

authenticate {
	Auth-Type PAP {
		pap
	}

	Auth-Type LDAP {
		ldap
	}
	eap
}

session {
	radutmp
}


post-auth {
}

pre-proxy {
}

post-proxy {
	eap
}
} # inner-tunnel server block
---------------------

I greatly appreciate your feedback. Do advise if you need to view other config files.

Thanks
Vikash

-----Original Message-----
From: freeradius-users-bounces+vikash.gounder=acu.edu.au at lists.freeradius.org [mailto:freeradius-users-bounces+vikash.gounder=acu.edu.au at lists.freeradius.org] On Behalf Of Fajar A. Nugraha
Sent: Monday, 28 November 2011 4:44 PM
To: FreeRadius users mailing list
Subject: Re: Free radius authentication with AD using ldap

On Mon, Nov 28, 2011 at 12:29 PM, Vikashgounder <Vikash.gounder at acu.edu.au> wrote:
> From the local radtest I can see, it is authenticating fine but when 
> testing

... and where is the debug log for that?

> with a wpa device, this is the error m getting on the debug log:

It's quite informative, actually:

[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?

If you use AD as ldap, the user password is not accessible in any ldap attribute. Thus you normally have to use ntlm_auth. See
- http://deployingradius.com/documents/configuration/active_directory.html
- http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
(old version, but some of it might be still relevant)

Some other thing to check:
- Are you setting Auth-Type manually? You shouldn't need to
- If you REALLY have radtest working, then it's usually a matter of making sure configuration in sites-available/default (the one used if you use PAP directly, e.g. with radtest) is also in sites-available/inner-tunnel (the one used to handle AAA inside EAP tunnel, like when you use EAP-PEAP-MSCHAPv2)

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list