(RADIATOR) authentication using ADSI
Hugh Irvine
hugh at open.com.au
Tue Apr 13 17:49:46 CDT 2004
Hello -
The workstation must be part of the AD domain.
regards
Hugh
On 14 Apr 2004, at 07:12, jkleyheeg at triseptsolutions.com wrote:
> HI,
>
> I' trying to get the "Auth by ADSI" to work from a standalone
> workstation, and am having some problems (most likely authentication
> related).
>
> Our first test was from an AD integrated XP workstation, which worked
> just fine.
>
> Our production solution will entail a standalone, non AD integrated,
> workstation.
>
> Using the same radius.cfg file, I'm now getting errors.
>
> Is it possible to get the ADSI authentication to work from a
> standalone workstation, or do I need to be running radiator from PC
> that's joined to the AD domain?
>
>
>
> Thanks.
>
>
>
> Radius.cfg:
>
>
>
> Foreground
>
> LogStdout
>
> LogDir c:/Program Files/Radiator
>
> DbDir c:/Program Files/Radiator
>
> Trace 3
>
>
>
> <ServerTACACSPLUS>
>
> Key <removed>
>
> AddToRequest NAS-Identifier=TACACS
>
> </ServerTACACSPLUS>
>
>
>
> <Client DEFAULT>
>
> Secret <removed>
>
> DupInterval 0
>
> </Client>
>
>
>
> <Realm DEFAULT>
>
> # During authentication, AuthBy ADSI finds a matching user
>
> # record, checks the AccountDisabled and IsAccountLocked
> flags,
>
> # checks the LoginHours permitted times, and the users
> password
>
> <AuthBy ADSI>
>
> Identifier ADSI
>
> SearchAttribute sAMAccountName
>
> BindString
> LDAP://SERVER.DOMAIN.com/cn=%0,dc=DOMAIN,dc=com
>
> AuthUser %0
>
> CheckGroup CN=SEG,ou=Systems Engineering
>
> GroupRequired CN=SEG
>
> </AuthBy>
>
> AcctLogFileName %D/%Y%m%d-RAS.log
>
>
>
> </Realm>
>
>
>
> ---------------------------------------------------
>
> LogFile:
>
>
>
>
>
> Tue Apr 13 16:06:55 2004: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
>
> Tue Apr 13 16:06:55 2004: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg'
>
> Tue Apr 13 16:06:55 2004: DEBUG: Reading dictionary file 'c:/Program
> Files/Radiator/dictionary'
>
> Tue Apr 13 16:06:55 2004: DEBUG: Creating authentication port
> 0.0.0.0:1645
>
> Tue Apr 13 16:06:55 2004: DEBUG: Creating accounting port 0.0.0.0:1646
>
> Tue Apr 13 16:06:55 2004: NOTICE: Server started: Radiator 3.8 on
> Monitor101 (EVALUATION)
>
> Tue Apr 13 16:07:03 2004: DEBUG: New TacacsplusConnection created for
> 10.11.2.2:13593
>
> Tue Apr 13 16:07:03 2004: DEBUG: TacacsplusConnection request 192, 1,
> 1, 0, 77302899, 26
>
> Tue Apr 13 16:07:03 2004: DEBUG: TacacsPlus request packet dump:
> c0010100049b8c730000001a986ca3eb1571940c0447e56ac5ddddb99d110c2780ccd90
> 7beb8
>
> Tue Apr 13 16:07:03 2004: DEBUG: TacacsplusConnection Authentication
> START 1, 1, 1 for , tty66, 10.11.248.244
>
> Tue Apr 13 16:07:03 2004: DEBUG: TacacsplusConnection Authentication
> REPLY 4, 0, Username: ,
>
> Tue Apr 13 16:07:06 2004: DEBUG: TacacsplusConnection request 192, 1,
> 3, 0, 77302899, 11
>
> Tue Apr 13 16:07:06 2004: DEBUG: TacacsPlus request packet dump:
> c0010300049b8c730000000b7cb7246eb43232d851b035
>
> Tue Apr 13 16:07:06 2004: DEBUG: TacacsplusConnection Authentication
> CONTINUE 0, tester,
>
> Tue Apr 13 16:07:06 2004: DEBUG: TacacsplusConnection Authentication
> REPLY 5, 1, Password: ,
>
> Tue Apr 13 16:07:08 2004: DEBUG: TacacsplusConnection request 192, 1,
> 5, 0, 77302899, 10
>
> Tue Apr 13 16:07:08 2004: DEBUG: TacacsPlus request packet dump:
> c0010500049b8c730000000a45d66ad351bafe589de8
>
> Tue Apr 13 16:07:08 2004: DEBUG: TacacsplusConnection Authentication
> CONTINUE 0, <password>,
>
> Tue Apr 13 16:07:08 2004: DEBUG: TACACSPLUS derived Radius request
> packet dump:
>
> Code: Access-Request
>
> Identifier: UNDEF
>
> Authentic: <194><143>I<20>0<179>><25>w<222><169>1<165>`<190><249>
>
> Attributes:
>
> NAS-IP-Address = 10.11.2.2
>
> NAS-Port-Id = "tty66"
>
> Calling-Station-Id = "10.11.248.244"
>
> Service-Type = Login-User
>
> NAS-Identifier = "TACACS"
>
> User-Name = "tester"
>
> User-Password = "<password>"
>
>
>
> Tue Apr 13 16:07:08 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
>
> Tue Apr 13 16:07:08 2004: DEBUG: Deleting session for , 10.11.2.2,
>
> Tue Apr 13 16:07:08 2004: DEBUG: Handling with ASDI
>
> Tue Apr 13 16:07:08 2004: DEBUG: BindString converted to
> LDAP://Server.Domain.com/cn=tester,dc=Domain,dc=com
>
> Tue Apr 13 16:07:08 2004: DEBUG: AuthUser converted to tester
>
> Tue Apr 13 16:07:08 2004: DEBUG: Starting ADODB search for
> sAMAccountName = tester
>
> Tue Apr 13 16:07:09 2004: DEBUG: User found at LDAP://errorexec
>
> Tue Apr 13 16:07:09 2004: DEBUG: Connecting to namespace: LDAP:
>
> Tue Apr 13 16:07:09 2004: DEBUG: Running OpenDSObject on
> LDAP://errorexec
>
> Tue Apr 13 16:07:22 2004: DEBUG: Could not get user object:
> Win32::OLE(0.1601) error 0x8007203a: "The server is not operational"
>
> in METHOD/PROPERTYGET "OpenDSObject"
>
> Tue Apr 13 16:07:22 2004: INFO: Access rejected for tester: Could not
> find user
>
> Tue Apr 13 16:07:22 2004: DEBUG: TacacsplusConnection result
> Access-Reject
>
> Tue Apr 13 16:07:22 2004: DEBUG: TacacsplusConnection Authentication
> REPLY 2, 0, ,
>
>
>
>
>
>
>
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list