<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1501661140995_4192">Hi Christian,</div><div id="yui_3_16_0_ym19_1_1501661140995_4193"><br></div><div id="yui_3_16_0_ym19_1_1501661140995_4343" dir="ltr"> I have tried commenting ServerChecksPassword but it does not helps. I think if I force radiator to accept only chap requests then it might work. <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1501661140995_4381"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1501661140995_4412">Can someone pls tell me config to force authentication protocol ?</div><div dir="ltr" id="yui_3_16_0_ym19_1_1501661140995_4414"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1501661140995_4413">Regards,</div><div dir="ltr" id="yui_3_16_0_ym19_1_1501661140995_4418">-Manish<br></div><div id="yui_3_16_0_ym19_1_1501661140995_4194"><span></span></div> <div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1501661140995_4378"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1501661140995_4215" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;" id="yui_3_16_0_ym19_1_1501661140995_4214"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1501661140995_4213"> <div dir="ltr" id="yui_3_16_0_ym19_1_1501661140995_4380"><font id="yui_3_16_0_ym19_1_1501661140995_4379" face="Arial" size="2"> On Tuesday, August 1, 2017 3:29 PM, Christian Kratzer <ck-lists@cksoft.de> wrote:<br></font></div> <br><br> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1501661140995_4212"><div dir="ltr" id="yui_3_16_0_ym19_1_1501661140995_4211">H Arya,<br clear="none"><br clear="none"><div class="yqt2542732412" id="yqtfd72582"><br clear="none">On Tue, 1 Aug 2017, Arya, Manish Kumar wrote:<br clear="none"><br clear="none">> # Infinera<br clear="none">> <AuthBy LDAP2><br clear="none">> NoDefault<br clear="none">> Identifier infi_user_auth<br clear="none">> Host xxxx<br clear="none">> Port xxxx<br clear="none">> Timeout 60<br clear="none">> AuthDN xxxx<br clear="none">> AuthPassword xxxxx<br clear="none">> BaseDN xxxxxx<br clear="none">> Scope subtree<br clear="none">> SearchFilter (&(access-device-type=infinera)(raduser=%1))<br clear="none">> UsernameAttr raduser<br clear="none">> PasswordAttr radpass<br clear="none">> ServerChecksPassword<br clear="none">> AuthAttrDef radpass,User-Password,check<br clear="none">> AuthAttrDef my-Infinera-User-Priv-SA,Infinera-User-Priv-SA,reply<br clear="none">> AuthAttrDef my-Infinera-User-Priv-NE,Infinera-User-Priv-NE,reply<br clear="none">> AuthAttrDef my-Infinera-User-Priv-NA,Infinera-User-Priv-NA,reply<br clear="none">> AuthAttrDef my-Infinera-User-Priv-PR,Infinera-User-Priv-PR,reply<br clear="none">> AuthAttrDef my-Infinera-User-Priv-TT,Infinera-User-Priv-TT,reply<br clear="none">> AddToReplyIfNotExist Service-Type=Login-User<br clear="none">> </AuthBy><br clear="none"><br clear="none"><br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: Handling request with Handler '', Identifier ''<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: Deleting session for infiuser2, 10.91.142.96,<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: Handling with Radius::AuthLDAP2: infi_user_auth<br clear="none">> Tue Aug 1 11:56:38 2017: INFO: Connecting to 10.91.118.24:389<br clear="none">> Tue Aug 1 11:56:38 2017: INFO: Attempting to bind to LDAP server 10.91.118.24:389<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got result for uid=infiuser2,ou=people,o=,ou=customers,dc=xxx,dc=net<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got radpass: abcd1234<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-SA: SA-PRIVILEGED<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-NE: NE-PRIVILEGED<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-NA: NA-PRIVILEGED<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-PR: PR-PRIVILEGED<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-TT: TT-PRIVILEGED<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: Radius::AuthLDAP2 looks for match with infiuser2 [infiuser2]<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password: infiuser2 [infiuser2]<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: AuthBy LDAP2 result: REJECT, Bad Password<br clear="none">> Tue Aug 1 11:56:38 2017: INFO: Access rejected for infiuser2: Bad Password<br clear="none">> Tue Aug 1 11:56:38 2017: DEBUG: Packet dump:</div><br clear="none"><br clear="none"><br clear="none">you are using ServerChecksPassword in above config which means radiator does not compare the password itself but tries to bind the ldap server with the user credentials.<br clear="none"><br clear="none">In your case it is hihgly propable that the ldap server does not allow "uid=infiuser2,ou=people,o=,ou=customers,dc=xxx,dc=net" to bind to your ldap which is what above logs are trying to tell you.<br clear="none"><br clear="none">Just remove the ServerChecksPassword from the AuthBy LDAP2 and it should work.<br clear="none"><br clear="none">Greetings<br clear="none">Christian<br clear="none"><br clear="none">-- <br clear="none">Christian Kratzer CK Software GmbH<br clear="none">Email: <a shape="rect" ymailto="mailto:ck@cksoft.de" href="mailto:ck@cksoft.de">ck@cksoft.de</a> Wildberger Weg 24/2<br clear="none">Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden<br clear="none">Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart<br clear="none">Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer<br clear="none">Web: <a shape="rect" href="http://www.cksoft.de/" target="_blank">http://www.cksoft.de/</a><div class="yqt2542732412" id="yqtfd97318"><br clear="none"></div></div><br><br></div> </div> </div> </div></div></body></html>