Freeradius 3.x with LDAP authentication

Adam Cage adamcage27 at gmail.com
Thu Aug 17 14:32:36 CEST 2017 

Alan, you were right.....I haven't joined to the domain because this is a
new server, I forget it !!!

After join the domain, the radtest worked OK.

Special thanks to all of you and now I have to make the ldap authorization
clauses based on SSID and ldap-groups....maybe I will ask for your help
again.

Regards!!!


2017-08-17 4:11 GMT-03:00 Alan DeKok <aland at deployingradius.com>:

> On Aug 17, 2017, at 3:50 AM, Adam Cage <adamcage27 at gmail.com> wrote:
> >
> > Dear, I've tried to understand what you said and I've made some changes:
> >
> > * I've deleted the the content of /etc/freeradius/users corresponding to
> > ldap-group attribute
>
>   Good...
>
> > * I've added the ldap-group clauses in
> > /etc/freeradius/sites-available/default and inner-tunnel, as you said. I
> > have not the ultimate clause yet, so the clause is a noop if users belong
> > to the Group1 group:
>
>   That's fine.
>
> > Here I show you the log for success test (Alan Dekok's guide exactly
> > without LDAP authorization) and after that the log for failure test
> (adding
> > LDAP support as described above), in order to confirm that mschap in the
> > success test does not have the "NOT TRUSTED SAM ACCOUNT" error appearing
> in
> > the failure case, being the same AD in both cases:
>
>   Adding an "LDAP-Group" check just can't create that error.  The error is
> because of something else.  Likely that Samba hasn't actually joined the AD
> domain.
>
>   While I understand this is frustrating, the error is *entirely* between
> ntlm_auth and AD.  No amount of poking at FreeRADIUS will fix the problem.
>
>   You will have to check that Samba is actually joined to the domain, and
> debug issues there.
>
>   You *can* run ntlm_auth manually, using the information provided in the
> debug output:
>
> $ ntlm_auth --username=adam --domain=D-HOLOMIT
> --challenge=e1248c7251ea7e63 --nt-response=d594e0a1673248f8e3a3b358381b78
> ed47891d8cd0fea851
>
>   Keep running that (and fixing AD / Samba issues) until you get "success"
> returned.  FreeRADIUS will then work.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>

More information about the Freeradius-Users mailing list