[RADIATOR] "Bad password" error in logs
Arya, Manish Kumar
m.arya at yahoo.com
Wed Aug 2 08:08:19 UTC 2017
Hi Christian,
I have tried commenting ServerChecksPassword but it does not helps. I think if I force radiator to accept only chap requests then it might work.
Can someone pls tell me config to force authentication protocol ?
Regards,-Manish
On Tuesday, August 1, 2017 3:29 PM, Christian Kratzer <ck-lists at cksoft.de> wrote:
H Arya,
On Tue, 1 Aug 2017, Arya, Manish Kumar wrote:
> # Infinera
> <AuthBy LDAP2>
> NoDefault
> Identifier infi_user_auth
> Host xxxx
> Port xxxx
> Timeout 60
> AuthDN xxxx
> AuthPassword xxxxx
> BaseDN xxxxxx
> Scope subtree
> SearchFilter (&(access-device-type=infinera)(raduser=%1))
> UsernameAttr raduser
> PasswordAttr radpass
> ServerChecksPassword
> AuthAttrDef radpass,User-Password,check
> AuthAttrDef my-Infinera-User-Priv-SA,Infinera-User-Priv-SA,reply
> AuthAttrDef my-Infinera-User-Priv-NE,Infinera-User-Priv-NE,reply
> AuthAttrDef my-Infinera-User-Priv-NA,Infinera-User-Priv-NA,reply
> AuthAttrDef my-Infinera-User-Priv-PR,Infinera-User-Priv-PR,reply
> AuthAttrDef my-Infinera-User-Priv-TT,Infinera-User-Priv-TT,reply
> AddToReplyIfNotExist Service-Type=Login-User
> </AuthBy>
> Tue Aug 1 11:56:38 2017: DEBUG: Handling request with Handler '', Identifier ''
> Tue Aug 1 11:56:38 2017: DEBUG: Deleting session for infiuser2, 10.91.142.96,
> Tue Aug 1 11:56:38 2017: DEBUG: Handling with Radius::AuthLDAP2: infi_user_auth
> Tue Aug 1 11:56:38 2017: INFO: Connecting to 10.91.118.24:389
> Tue Aug 1 11:56:38 2017: INFO: Attempting to bind to LDAP server 10.91.118.24:389
> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got result for uid=infiuser2,ou=people,o=,ou=customers,dc=xxx,dc=net
> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got radpass: abcd1234
> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-SA: SA-PRIVILEGED
> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-NE: NE-PRIVILEGED
> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-NA: NA-PRIVILEGED
> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-PR: PR-PRIVILEGED
> Tue Aug 1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-TT: TT-PRIVILEGED
> Tue Aug 1 11:56:38 2017: DEBUG: Radius::AuthLDAP2 looks for match with infiuser2 [infiuser2]
> Tue Aug 1 11:56:38 2017: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password: infiuser2 [infiuser2]
> Tue Aug 1 11:56:38 2017: DEBUG: AuthBy LDAP2 result: REJECT, Bad Password
> Tue Aug 1 11:56:38 2017: INFO: Access rejected for infiuser2: Bad Password
> Tue Aug 1 11:56:38 2017: DEBUG: Packet dump:
you are using ServerChecksPassword in above config which means radiator does not compare the password itself but tries to bind the ldap server with the user credentials.
In your case it is hihgly propable that the ldap server does not allow "uid=infiuser2,ou=people,o=,ou=customers,dc=xxx,dc=net" to bind to your ldap which is what above logs are trying to tell you.
Just remove the ServerChecksPassword from the AuthBy LDAP2 and it should work.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck at cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.open.com.au/pipermail/radiator/attachments/20170802/4ce20545/attachment.html>
More information about the radiator
mailing list