[RADIATOR] "Bad Encrypted password" - Authby LDAP2 and Active Directory

Hugh Irvine hugh at open.com.au
Tue Sep 14 13:37:27 CDT 2010


Hello Bob -

ServerChecksPassword with AD will only work for PAP authentication - it won't work for CHAP or any MSCHAP variants.

You will see in the trace 4 debug the packet dumps.

regards

Hugh


On 14 Sep 2010, at 13:24, Bob Rotsted wrote:

> Hugh,
> 
> Below is the information you requested:
> 
> Logs
> -----------------------------------------
> Tue Sep 14 09:45:30 2010: NOTICE: SIGTERM received: stopping
> Tue Sep 14 09:45:30 2010: DEBUG: Creating StreamServer tcp port 0.0.0.0:9048
> Tue Sep 14 09:45:30 2010: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> Tue Sep 14 09:45:30 2010: DEBUG: Reading dictionary file
> '/etc/radiator/dictionary'
> Tue Sep 14 09:45:30 2010: DEBUG: Creating authentication port 0.0.0.0:1645
> Tue Sep 14 09:45:30 2010: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Sep 14 09:45:30 2010: NOTICE: Server started: Radiator 4.7 on x
> 
> 
> Tue Sep 14 09:46:48 2010: DEBUG: Handling request with Handler
> 'NAS-IP-Address=131.252.x.x', Identifier ''
> Tue Sep 14 09:46:48 2010: DEBUG:  Deleting session for user. 131.252.x.x, 59
> Tue Sep 14 09:46:48 2010: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Sep 14 09:46:48 2010: INFO: Connecting to 131.252.x.x:636
> Tue Sep 14 09:46:48 2010: INFO: Attempting to bind to LDAP server
> 131.252.x.x:636
> Tue Sep 14 09:46:48 2010: DEBUG: LDAP got result for <dn>
> Tue Sep 14 09:46:48 2010: DEBUG: LDAP got objectClass: top person
> organizationalPerson user
> Tue Sep 14 09:46:48 2010: DEBUG: LDAP got cn: user
> Tue Sep 14 09:46:48 2010: DEBUG: LDAP got sn: user
> Tue Sep 14 09:46:48 2010: DEBUG: LDAP got department: x
> 
> (more LDAP spew)
> 
> Tue Sep 14 09:46:48 2010: DEBUG: Radius::AuthLDAP2 looks for match with
> user [user]
> Tue Sep 14 09:46:48 2010: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted
> password: user [user]
> Tue Sep 14 09:46:48 2010: INFO: Connecting to 131.252.x.x:636
> Tue Sep 14 09:46:48 2010: INFO: Attempting to bind to LDAP server
> 131.252.x.x:636
> Tue Sep 14 09:46:48 2010: DEBUG: No entries for DEFAULT found in LDAP
> database
> Tue Sep 14 09:46:48 2010: DEBUG: AuthBy LDAP2 result: REJECT, Bad
> Encrypted password
> Tue Sep 14 09:46:48 2010: INFO: Access rejected for user: Bad Encrypted
> password
> 
> Config
> -----------------------------------------
> <Handler NAS-IP-Address=131.252.x.x>
>           <AuthBy LDAP2>
>                        #define the host
>                        Host            131.252.x.x
>                        UseSSL
>                        Version         3
>                        #define the port
>                        Port            636
>                        Debug           255
>                        UsernameAttr sAMAccountName
>                        ServerChecksPassword
>                        AuthDN x
>                        AuthPassword x
>                        BaseDN          dc=PSU, dc=X, dc=PDX, dc=EDU
>                        SearchFilter (&(%0=%1)(x))
>                        AddToReply      Class = ou=x;
>            </AuthBy>
> 
> 
>           <AuthBy LDAP2>
>                        #define the host
>                        Host            131.252.x.x
>                        UseSSL
>                        Version         3
>                        Port            636
>                        Debug           255
>                        UsernameAttr sAMAccountName
>                        ServerChecksPassword
>                        AuthDN x
>                        AuthPassword x
>                        BaseDN          dc=PSU, dc=X, dc=PDX, dc=EDU
>                        SearchFilter (&(%0=%1)(x))
>                        AddToReply      Class = ou=y;
>           </AuthBy>
> 
> </Handler>
> 
> 
> 
> Thanks for your assistance!
> 
> --bob
> 
> 
> On 09/14/2010 10:44 AM, Hugh Irvine wrote:
>> 
>> Hello Bob -
>> 
>> We will need to see a copy of the configuration file and a more complete trace 4 debug showing the startup messages as well as what is happening with the requests.
>> 
>> For the most flexibility I suggest the AuthBy  clause on *NIX and the AuthBy LSA clause on Windows.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 14 Sep 2010, at 12:11, Bob Rotsted wrote:
>> 
>>> Hi all,
>>> 
>>> I'm attempting to use Authby LDAP2 to proxy authentication requests to
>>> our active directory server with the "ServerChecksPassword" switch.
>>> 
>>> Everything appears to be working correctly -- binding completes, etc --
>>> until the user's password is verified. When AD checks the user's
>>> password, Authby LDAP2 throws the following errors:
>>> 
>>> Tue Sep 14 09:46:48 2010: DEBUG: Radius::AuthLDAP2 looks for match with
>>> user [user]
>>> Tue Sep 14 09:46:48 2010: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted
>>> password: user [user]
>>> Tue Sep 14 09:46:48 2010: INFO: Connecting to 131.252.0.0:636
>>> Tue Sep 14 09:46:48 2010: INFO: Attempting to bind to LDAP server
>>> 131.252.0.0:636
>>> Tue Sep 14 09:46:48 2010: DEBUG: No entries for DEFAULT found in LDAP
>>> database
>>> Tue Sep 14 09:46:48 2010: DEBUG: AuthBy LDAP2 result: REJECT, Bad
>>> Encrypted password
>>> Tue Sep 14 09:46:48 2010: INFO: Access rejected for user: Bad Encrypted
>>> password
>>> 
>>> My current configuration works on another server, perhaps my new server
>>> is missing a library? Anyone else experiencing this issue?
>>> 
>>> Best,
>>> 
>>> -- 
>>> Bob Rotsted
>>> 
>>> Network Security Analyst
>>> Portland State University
>>> Desk: 503-725-6215
>>> Cell: 503-208-6575
>>> 314B D581 A8CD E28A A690 7E9D 5B43 4B28 0EB6 A21A
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> 
>> NB: 
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets), 
>> together with a trace 4 debug showing what is happening?
>> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list