(RADIATOR) (Radiator) Problem with

Allister Maguire amaguire at actonz.com
Tue Feb 5 03:07:03 CST 2002 

Hello,

We are testing radiator with LDAP to Active Directory, the problem is
Radiator seems to drop authentication attempts. What we have found,
Radiator Trace level 4, dialin with a couple of test clients, first
client fails due to no such user (this is correct, we see Access-Reject
on screen), second client fails with "Error 691: Access was denied
because the username and/or password was invaild on the domain." (This
is incorrect, username and password are correct. Also no Access-Request
or Access-Reject show up). Try again it works, it seems to be a timing
issue with mutliple attempts.

We are using the demo of Radiator on Debian 2.2r5, client are Windows
XP, AD on Windows 2000 Advanced Server and Test RAS is Ascend 4000.

Would this be a problem with our test NAS, Radiator, the server
Ratiator's on, or Active Directory?

Can anyone help.

Thanks

Allister Maguire




# ad-ldap.cfg
#
# Example Radiator configuration file for authenticating from
# Active Directory via LDAP2, possibly from a Unix host.
#
# This very simple file will allow you to get started with 
# a simple LDAP authentication system from AD.
#
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
#
# You should consider this file to be a starting point only
# $Id: ad-ldap.cfg,v 1.1 2001/05/17 05:33:34 mikem Exp $

Foreground
LogStdout
LogDir          /var/log/radacct/radius
DbDir           .
Trace           4
LogFile         %L/%Y-logfile

DictionaryFile /home/amaguire/Radiator/dictionary.ascend


# You will probably want to add other Clients to suit your site.
<Client localhost>
        Secret  mysecret
        DupInterval 0
</Client>

<Client 192.168.0.11>
        Secret  XXXXX
        DupInterval 0
</Client>

# Authenticates users in the Organisational Unit called 'csx users'
# The user name coming from the NAS must match the sAMAccountName
# attribute of a user in that OU./ Users that are not in 'csx users'
# will not be able to log in.
<Realm DEFAULT>
        <AuthBy LDAP2>
                Host            192.168.0.6
                AuthDN cn=Proxy User,ou=Resources,ou=Globe.Net
Communications Ltd,dc=gnc,dc=net,dc=nz
#               AuthPassword    yourADadminpasswordhere
                AuthPassword    XXXXX
                BaseDN          ou=People,ou=Globe.Net Communications
Ltd,dc=gnc,dc=net,dc=nz
                UsernameAttr sAMAccountName
#               PasswordAttr msSFUPassword
                # Password checking is performed using an LDAP bind
operation.
                ServerChecksPassword

                # TCP connection timeout period, for LDAP server.
                Timeout 2

                AddToReply Service-Type = Framed-User,\
                        Framed-Protocol = PPP,\
                        Framed-Netmask = 255.255.255.255,\
                        Framed-Routing = None,\
                        Framed-Compression = Van-Jacobson-TCP-IP,\
                        Ascend-Maximum-Channels = 1

                AuthAttrDef radiusIdleTimeout,Ascend-Idle-Limit,reply
                AuthAttrDef
radiusSessionTimeout,Ascend-Maximum-Time,reply
                AuthAttrDef radiusCallingStationID,Caller-Id,check
#               AuthAttrDef radiusCalledStationID,,check
                AuthAttrDef radiusNASPortType,NAS-Port-Type,check

                # Reply with all the items in replyitems
#               ReplyAttr radiusConnectionAttributes

        </AuthBy>
        AcctLogFileName %L/%Y-%v-detail
</Realm>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list