Help Needed !!! FreeRADIUS Integration with MS AD
Pradyumna
neomatrixgem at gmail.com
Mon Jan 28 10:40:14 CET 2013
Hi,
Am not able to see my authorization happening because I don't see the value-attr or reply message. Please help. Logs attached.
rad_recv: Access-Request packet from host 192.168.0.2 port 39662, id=92, length=62
User-Name = "radiustest"
User-Password = "password at 123"
NAS-IP-Address = 192.168.0.2
NAS-Port = 1812
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.0.2/auth-detail-20130128
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.2/auth-detail-20130128
[auth_log] expand: %t -> Mon Jan 28 10:12:16 2013
++[auth_log] returns ok
[ldap] performing user authorization for radiustest
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> radiustest
[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radiustest))
[ldap] expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=users,dc=example,dc=com, with filter (&(sAMAccountName=radiustest))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = ldap
[ldap] user radiustest authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "radiustest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ldap] performing user authorization for radiustest
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> radiustest
[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radiustest))
[ldap] expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=users,dc=example,dc=com, with filter (&(sAMAccountName=radiustest))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user radiustest authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ldap
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "radiustest" with password "password at 123"
[ldap] user DN: CN=radiustest,CN=Users,DC=example,DC=com
[ldap] (re)connect to 192.168.0.3:389, authentication 1
[ldap] bind as CN=radiustest,CN=Users,DC=example,DC=com/password at 123 to 192.168.0.3:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user radiustest authenticated succesfully
++[ldap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 92 to 192.168.0.2 port 39662
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 92 with timestamp +88
Ready to process requests.
Regards,
/Neo
Sent from my iPhone
On 25-Jan-2013, at 3:32 AM, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> Do you mean the below in the "users" file?
>>
>> cisco Auth-Type := LDAP
>>
>> Service-Type = Administrative-User,
>> cisco-avpair = "shell:priv-lvl=15"
>
> no.
>
> cisco Auth-Type := LDAP
> Service-Type = Administrative-User,
> cisco-avpair = "shell:priv-lvl=15"
>
>
> (see all the examples in the users file)
>
> alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130128/a6a02077/attachment-0001.html>
More information about the Freeradius-Users
mailing list