FreeRADIUS & AD LAP Communication
Russell Mike
radius.sir at gmail.com
Wed Nov 20 18:01:03 CET 2013
Dear Good Peoples Greetings
Version Information: FreeRADIUS 2.2.0.
Question: What does the following means? Is it not authentication area in
"default" virtual server? i have listed "ldap" there.
1.) rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed
in the "authenticate" section.
2.) i have one Linux open-ldap server, FreeRADIUS Auth works from that LDAP
server, with following configuration. Please note, the passport storage in
destination Linux LDAP Server is cleartext. i do check using the following
command.
* radtest mike aabb88@ localhost 1812 HYbbunINFDR$88 *
# CentOS Open-ldap Server
server = "ldapserver-mydomain.net<http://ldap.digital-infotech.net/>
"
identity = "cn=Administrator,dc=ldap-mydomain,dc=net"
password = "password"
basedn = "dc=mydomain,dc=net"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
i receive, access Accept !!! - NO problem
3.) When i do user query from FreeRADIUS to Windows Domain Controller
Server 2012 x64.
# Windows Domain Controller Server 2012 64-Bit AD
server = "ldap-mydomain.com <http://ldap-teledataict.com/>"
identity = "cn=Administrator,cn=Users,dc=ldap-mydomain,dc=com"
password = "password"
basedn = "dc=ldap-mydomain,dc=com"
# Enable One Filter Only
#filter = "(SamAccountName=%u)"
filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
3a) Following is the out-put with REJECT access, Perhaps because password
storage in AD is not clear text, is it due to that? Perhaps it cannot be
tested with redtest? i am using the following to test, is it correct test
* radtest mike aabb88@ localhost 1812 HYbbunINFDR$88*
4.) rad_recv: Access-Request packet from host 127.0.0.1 port 46861, id=137,
length=75
User-Name = "mike"
User-Password = "aabb88@"
NAS-IP-Address = 14.14.14.14
NAS-Port = 1812
Message-Authenticator = 0x4a3417dcf9e80de96f2274fbfa6f5c4d
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "mike", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for mike
[ldap] expand: (SamAccountName=%u) -> (SamAccountName=mike)
[ldap] expand: dc=ldap-teledataict,dc=com -> dc=ldap-teledataict,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to
ldap-mydomain.net:389<http://ldap-teledataict.com:389/>,
authentication 0
[ldap] bind as
cn=Administrator,cn=Users,dc=ldap-teledataict,dc=com/rootadmin to
ldap-mydomain.net:389 <http://ldap-teledataict.com:389/>
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=ldap-teledataict,dc=com, with filter
(SamAccountName=mike)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user mike authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[forevertimecounter] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[gigawordcounter] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/auth_all
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> mike
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 137 to 127.0.0.1 port 46861
Waking up in 4.9 seconds.
Cleaning up request 0 ID 137 with timestamp +3
Ready to process requests.
Thanks / Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131120/9b501571/attachment-0001.html>
More information about the Freeradius-Users
mailing list