LDAP + Active Directory Authentication Issue

Luke Ramsden lukermsdn at gmail.com
Fri Dec 13 15:29:36 CET 2013


Thank you all. With your help I have made progress.

I can now successfully authenticate the user 'test' against Active
Directory if I open up another terminal and run:
radtest -t mschap test password localhost 0 testing 123

However, the 'no Auth-Type found' error still occurs if I send the request
from my console server. Is this because the request from the console server
needs to specify use of mschap?

Thanks again


On Thu, Dec 12, 2013 at 10:10 PM, <stefan.paetow at diamond.ac.uk> wrote:

> Luke,
>
> Unless you are storing passwords in Active Directory in plain text or you
> want to use Kerberos authentication, you will have to use MSCHAPv2 (or its
> EAP equivalent, EAP-MSCHAPv2).
>
> In that case, follow
> http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+sourceand see if that's more useful than the URL you originally posted.
>
> And please, post a full debug log of an authentication attempt. It's much
> appreciated by the gurus on the list. :-)
>
> Stefan
>
>
> ________________________________
> From: freeradius-users-bounces+stefan.paetow=
> diamond.ac.uk at lists.freeradius.org[freeradius-users-bounces+stefan.paetow=
> diamond.ac.uk at lists.freeradius.org] on behalf of Luke Ramsden [
> lukermsdn at gmail.com]
> Sent: Thursday, December 12, 2013 6:48 PM
> To: freeradius-users at lists.freeradius.org
> Subject: LDAP + Active Directory Authentication Issue
>
> Hi, I am trying to authenticate users against Active Directory using LDAP.
> I can perform the initial bind using an ldap bind account. I can then
> successfully find the Distinguished Name in Active Directory given a domain
> user's username. I would now like to re-bind using that Distinguished Name
> in order to authenticate the password they supplied as described in point 4
> here:
>
>
> http://thecarlhall.wordpress.com/2011/01/04/ldap-authentication-authorization-dissected-and-digested/
>
> The problem I am having is my server errors out with 'No Auth-Type found'
> come authentication time. I added 'set_auth_type = yes' to
> mods-available/ldap but it seems to have had no effect.
>
> I am very new to this so am still finding my feet - can anyone help?
>
>
> Subset of output from terminal (redacted some personal info):
>
> (0) ldap : Performing search in 'ou=Users,dc=example,dc=domain,dc=com'
> with filter '(uid=example-user)'
> (0) ldap : Waiting for search result...
> (0) ldap : User object found at DN
> "CN=Name,OU=Users,DC=example,DC=domain,DC=com"
> rlm_ldap (ldap): Released connection (4)
> rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3)
> (0)    [ldap] = ok
> (0)    [chap] = noop
> (0)    [mschap] = noop
> (0)    [digest] = noop
> (0) suffix : No '@' in User-Name = 'example-user', looking up realm NULL
> (0) suffix : No such realm "NULL"
> (0)    [suffix] = noop
> (0) eap : No EAP-Message, not doing EAP
> (0)    [eap] = noop
> (0)    [files] = noop
> (0)    [expiration] = noop
> (0)    [logintime] = noop
> (0) WARNING: pap : No "known good" password found for the user. Not
> setting Auth-Type.
> (0) WARNING: pap : Authentication will fail unless a "known good" password
> is available.
> (0)    [pap] = noop
> (0) } #  authorize = ok
> (0) ERROR: No Auth-Type found: rejecting the user via Post Auth-Type =
> Reject
> (0) Failed to authenticate the user.
> (0) Using Post-Auth-Type Reject
>
> Many thanks
>
> --
> This e-mail and any attachments may contain confidential, copyright and or
> privileged material, and are for the use of the intended addressee only. If
> you are not the intended addressee or an authorised recipient of the
> addressee please notify us of receipt by returning the e-mail and do not
> use, copy, retain, distribute or disclose the information in or attached to
> the e-mail.
> Any opinions expressed within this e-mail are those of the individual and
> not necessarily of Diamond Light Source Ltd.
> Diamond Light Source Ltd. cannot guarantee that this e-mail or any
> attachments are free from viruses and we cannot accept liability for any
> damage which you may sustain as a result of software viruses which may be
> transmitted in or with the message.
> Diamond Light Source Limited (company no. 4375679). Registered in England
> and Wales with its registered office at Diamond House, Harwell Science and
> Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131213/daf04082/attachment-0001.html>


More information about the Freeradius-Users mailing list