[RADIATOR] AuthBy LDAP2 to AD

Joe Honnold Joe_Honnold at starkey.com
Sun Dec 20 00:47:25 CST 2015


Got it all sorted.  Thanks for the pointers.  Here is what my working config for AD looks like.

Foreground
LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace  4
#
AuthPort 1645
AcctPort 1646

<Client 10.0.0.8>
Secret IMNOTTELLLING
</Client>

<Handler>
<AuthBy LDAP2>
Debug 255
NoDefault
Host 10.0.50.80 10.0.50.82
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standard LDAP, so you may want to use:
Port 3268
AuthDN cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
AuthPassword PLAINTEXTPASSWORD
BaseDN
PasswordAttr
ServerChecksPassword
UsernameAttr sAMAccountName
HoldServerConnection
FailureBackoffTime 0
AuthAttrDef MobileNumber,Callback-Number,request
</AuthBy>
</Handler>


On Dec 17, 2015, at 9:06 AM, Hartmaier Alexander <alexander.hartmaier at t-systems.at<mailto:alexander.hartmaier at t-systems.at>> wrote:

Hi,
sadly HoldServerConnection doesn't work for Active Directory for us.
Not sure if that's the source of your problem though.
If you search the Global Catalog (3268 for LDAP and 3269 for LDAPS) you can't specify a BaseDN, leave it empty!
Just
BaseDN

Best regards, Alex

On 2015-12-15 18:18, Joe Honnold wrote:
Hi.

I am working towards a config that does AD authentication with the addition of OTP.  I have started the AD config and have hit an issue that I can not seem to get around.
The log file states:

Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: UserJ [UserJ]

I have completed some research via the docs and internet searching but nothing has pointed me in the right direction yet.
Any input towards a resolution would be appreciated as I need this to work prior to adding the OTP settings to the config.

radius.cfg file
======
# ad-ldap.cfg
#
# Example Radiator configuration file for authenticating from
# Active Directory via LDAP2, possibly from a Unix host.
#
# This very simple file will allow you to get started with
# a simple LDAP authentication system from AD.
#
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
#
# You should consider this file to be a starting point only
# $Id: ad-ldap.cfg,v 1.4 2015/06/02 19:37:27 hvn Exp $

Foreground
LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace 4
#
AuthPort 1645
AcctPort 1646

# You will probably want to add other Clients to suit your site.
<Client 10.0.0.8>
Secret IMNOTTELLLING
</Client>

# Authenticates users in the Organisational Unit called 'csx users'
# The user name coming from the NAS must match the sAMAccountName
# attribute of a user in that OU./ Users that are not in 'csx users'
# will not be able to log in.
<Handler>
<AuthBy LDAP2>
Debug 255
NoDefault
Host 10.0.50.80 10.0.50.82
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standard LDAP, so you may want to use:
Port 3268
AuthDN cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
AuthPassword PLAINTEXTPASSWORD
BaseDN DC=MS, DC=DOMAIN, DC=com
ServerChecksPassword
UsernameAttr sAMAccountName
HoldServerConnection
FailureBackoffTime 0
AuthAttrDef logonHours,MS-Login-Hours,check
</AuthBy>
</Handler>

======

Cleansed log dump
======
Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 ....
Code:       Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:24 2015: DEBUG: Handling request with Handler '', Identifier ''
Tue Dec 15 10:34:24 2015: DEBUG:  Deleting session for UserJ, 10.0.100.8,
Tue Dec 15 10:34:24 2015: DEBUG: Handling with Radius::AuthLDAP2:
Tue Dec 15 10:34:24 2015: INFO: Connecting to 10.0.50.80:3268 10.0.50.82:3268
Tue Dec 15 10:34:24 2015: INFO: Connected to 10.0.50.80:3268
Tue Dec 15 10:34:24 2015: INFO: Attempting to bind to LDAP server 10.0.50.80:3268
Tue Dec 15 10:34:24 2015: DEBUG: LDAP got result for CN=Joe User,OU=Unit1,OU=Unit2,DC=ms,DC=domain,DC=com
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 looks for match with UserJ [UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: UserJ [UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted password
Tue Dec 15 10:34:24 2015: INFO: Access rejected for UserJ: Bad Encrypted password
Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 ....
Code:       Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"

Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 ....
Code:       Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:29 2015: INFO: Duplicate request id 188 received from 10.0.100.8(58652): retransmit reply
Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 ....
Code:       Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"

Tue Dec 15 10:34:34 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 ....
Code:       Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:34 2015: INFO: Duplicate request id 188 received from 10.0.100.8(58652): retransmit reply
Tue Dec 15 10:34:34 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 ....
Code:       Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"





_______________________________________________
radiator mailing list
radiator at open.com.au<mailto:radiator at open.com.au>
http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
_______________________________________________
radiator mailing list
radiator at open.com.au<mailto:radiator at open.com.au>
http://www.open.com.au/mailman/listinfo/radiator

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20151220/36b4dc29/attachment-0001.html 


More information about the radiator mailing list