Can't figure out Group Authentication

Mon Jun 25 14:53:49 CEST 2012

Julson, Jim wrote:
> Okay, so I think I’m getting closer.  But I have a few challenges
> still.  I am slowly learning how to parse the RADIUS –X debug output,
> now it’s a matter of knowing what to do with the information.

  Use the handy form at:

networkradius.com/freeradius.html

  It tells you the important things to look at.

> 1.  Domain Groups with spaces sometimes would or wouldn't work.  (Is
> that the case with FreeRADIUS?) 

  It shouldn't be, but you never know.

> 2.  Recursive searches were a problem.  See below for how the basic
> Active Directory structure looks for us (Note the spaces in the names). 
> For Cacti, I had to create a new OU, with a new Security Group that
> didn’t have spaces in it.  That was the only way I could get LDAP Binds
> to work for Group Authentication.  (I find it hard to belive that’s the
> case with FreeRADIUS…I tend to lean more towards my bad configuration).

  Recursive searches are supported in FreeRADIUS.  See the "rebind"
configuration in the ldap module.

> So, in that example, if I wanted to have a user be Authenticated who
> resides in “ADMIN – Users”, but the group is in “ADMIN – Groups”, does
> it matter to the RADIUS LDAP module?

  It shouldn't.

> NOTE:  I am kind of lost here.  I see so many people using so many
> different syntaxes that I’m not sure if I’m using the right one.

  The documentation is correct.  Almost every third-party site is wrong.

>  At
> present, the “users” file is completely default except for the following
> lines I’ve added at the very top.   So, no matter what my LDAP output
> shows, If I uncomment the two lines for ntlm_auth, I can login with any
> Domain User regardless of the top 2 lines that say “Domain Admins”, and
> all others are rejected.  So I’m thinking ultimately my problem is not
> just here, but also with the LDAP bind taking place as you can see below. 
> **************************************
> */etc/raddb/users** *
>  
> DEFAULT Ldap-Group == "CN=Domain Admins,CN=ADMIN -
> Groups,DC=DOMAIN,DC=HOME,DC=COM",

  You just need the group name "admin" or "sales".  Not the whole path.

> Auth-Type = ntlm_auth
> DEFAULT Auth-Type = Reject

  You don't need the default reject.  The server will ALWAYS reject
people it doesn't know.

> Here’s the RADIUSD –X output from my last auth attempt.
>  
> BEGIN RADIUS – X DEBUG OUTPUT
> NOTE:  I’ve changed all my domain information for this troubleshooting,
> and also highlighted anywhere it’s referenced.  I’m hoping I’m
> On the right track with what I’ve highlighted below as to where I
> believe the problem is.

  Part of the reason for the debug output is to show you what's going
on.  It prints out the LDAP queries it does.  You can copy them, and use
them in command-line tests with "ldapsearch".  That helps.

  Alan DeKok.