[RADIATOR] AuthBy LDAP2 to AD

Joe Honnold Joe_Honnold at starkey.com
Tue Dec 15 11:18:43 CST 2015 

Hi.

I am working towards a config that does AD authentication with the addition of OTP.  I have started the AD config and have hit an issue that I can not seem to get around.
The log file states:

Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: UserJ [UserJ]

I have completed some research via the docs and internet searching but nothing has pointed me in the right direction yet.
Any input towards a resolution would be appreciated as I need this to work prior to adding the OTP settings to the config.

radius.cfg file
======
# ad-ldap.cfg
#
# Example Radiator configuration file for authenticating from
# Active Directory via LDAP2, possibly from a Unix host.
#
# This very simple file will allow you to get started with
# a simple LDAP authentication system from AD.
#
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
#
# You should consider this file to be a starting point only
# $Id: ad-ldap.cfg,v 1.4 2015/06/02 19:37:27 hvn Exp $

Foreground
LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace 4
#
AuthPort 1645
AcctPort 1646

# You will probably want to add other Clients to suit your site.
<Client 10.0.0.8>
Secret IMNOTTELLLING
</Client>

# Authenticates users in the Organisational Unit called 'csx users'
# The user name coming from the NAS must match the sAMAccountName
# attribute of a user in that OU./ Users that are not in 'csx users'
# will not be able to log in.
<Handler>
<AuthBy LDAP2>
Debug 255
NoDefault
Host 10.0.50.80 10.0.50.82
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standard LDAP, so you may want to use:
Port 3268
AuthDN cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
AuthPassword PLAINTEXTPASSWORD
BaseDN DC=MS, DC=DOMAIN, DC=com
ServerChecksPassword
UsernameAttr sAMAccountName
HoldServerConnection
FailureBackoffTime 0
AuthAttrDef logonHours,MS-Login-Hours,check
</AuthBy>
</Handler>

======

Cleansed log dump
======
Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 ....
Code:       Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:24 2015: DEBUG: Handling request with Handler '', Identifier ''
Tue Dec 15 10:34:24 2015: DEBUG:  Deleting session for UserJ, 10.0.100.8,
Tue Dec 15 10:34:24 2015: DEBUG: Handling with Radius::AuthLDAP2:
Tue Dec 15 10:34:24 2015: INFO: Connecting to 10.0.50.80:3268 10.0.50.82:3268
Tue Dec 15 10:34:24 2015: INFO: Connected to 10.0.50.80:3268
Tue Dec 15 10:34:24 2015: INFO: Attempting to bind to LDAP server 10.0.50.80:3268
Tue Dec 15 10:34:24 2015: DEBUG: LDAP got result for CN=Joe User,OU=Unit1,OU=Unit2,DC=ms,DC=domain,DC=com
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 looks for match with UserJ [UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: UserJ [UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted password
Tue Dec 15 10:34:24 2015: INFO: Access rejected for UserJ: Bad Encrypted password
Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 ....
Code:       Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"

Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 ....
Code:       Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:29 2015: INFO: Duplicate request id 188 received from 10.0.100.8(58652): retransmit reply
Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 ....
Code:       Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"

Tue Dec 15 10:34:34 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 ....
Code:       Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:34 2015: INFO: Duplicate request id 188 received from 10.0.100.8(58652): retransmit reply
Tue Dec 15 10:34:34 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 ....
Code:       Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20151215/9fedc240/attachment.html

More information about the radiator mailing list