Free radius authentication with AD using ldap

Fajar A. Nugraha list at fajar.net
Tue Nov 29 00:21:09 CET 2011


On Tue, Nov 29, 2011 at 4:03 AM, Vikash Gounder
<Vikash.Gounder at acu.edu.au> wrote:
> Hi Fajar,
>
> Thanks so much for replying.
>
> The debug log for local test against AD is attached:
>
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on command file /var/run/radiusd/radiusd.sock
> Listening on proxy address * port 1814
> Ready to process requests.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 35067, id=16, length=61
>        User-Name = "uldaptest"

See this line?
>        User-Password = "usk.173n!"

> [ldap] user DN: CN=Unilinc ldaptest,OU=System Accounts,OU=Generic Accounts,DC=acustaff,DC=acu,DC=edu,DC=au
> rlm_ldap: (re)connect to acustaff.acu.edu.au:3268, authentication 1
> rlm_ldap: bind as CN=Unilinc ldaptest,OU=System Accounts,OU=Generic Accounts,DC=acustaff,DC=acu,DC=edu,DC=au/usk.173n! to acustaff.acu.edu.au:3268
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> [ldap] user uldaptest authenticated succesfully

This is ldap bind. It'll work if the user password is available as
plain text in the request (e.g. using PAP with radtest). It will not
work if the user password is not available in the request (e.g.
PEAP-MSCHAP-v2)

> I got a question for you?? If only using for WPA, do I also need to configure samba and use nltm_auth, since this radius device will be used by ipad, netbooks etc etc etc....

Yes, since you set your AP to use WPA2/radius auth the clients will
usually use EAP-PEAP-MSCHAPv2, where user password is not available as
plain text in the request.

-- 
Fajar




More information about the Freeradius-Users mailing list