<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Got it all sorted. Thanks for the pointers. Here is what my working config for AD looks like.
<div class=""><br class="">
</div>
<div class="">
<div class="">Foreground</div>
<div class="">LogStdout</div>
<div class="">LogDir<span class="Apple-tab-span" style="white-space: pre;"> </span>
/var/log/radius</div>
<div class="">DbDir<span class="Apple-tab-span" style="white-space: pre;"> </span>
/etc/radiator</div>
<div class=""># User a lower trace level in production systems:</div>
<div class="">Trace <span class="Apple-tab-span" style="white-space: pre;"> </span>
4</div>
<div class="">#</div>
<div class="">AuthPort<span class="Apple-tab-span" style="white-space: pre;"> </span>
1645 </div>
<div class="">AcctPort<span class="Apple-tab-span" style="white-space: pre;"> </span>
1646</div>
<div class=""><br class="">
</div>
<div class=""><Client 10.0.0.8></div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>Secret<span class="Apple-tab-span" style="white-space: pre;">
</span>IMNOTTELLLING</div>
<div class=""></Client></div>
<div class=""><br class="">
</div>
<div class=""><Handler></div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span><AuthBy LDAP2></div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>Debug 255</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>NoDefault</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>Host<span class="Apple-tab-span" style="white-space: pre;">
</span>10.0.50.80 10.0.50.82</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span># Microsoft AD also listens on port 3268, and </div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span># requests received on that port are reported to be</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span># more compliant with standard LDAP, so you may want to use:</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>Port 3268</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>AuthDN<span class="Apple-tab-span" style="white-space: pre;">
</span>cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>AuthPassword<span class="Apple-tab-span" style="white-space: pre;">
</span>PLAINTEXTPASSWORD</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>BaseDN </div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>PasswordAttr</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ServerChecksPassword</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>UsernameAttr sAMAccountName</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>HoldServerConnection</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>FailureBackoffTime 0</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>AuthAttrDef MobileNumber,Callback-Number,request</div>
<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span></AuthBy></div>
<div class=""></Handler></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<div class="">
<div>
<blockquote type="cite" class="">
<div class="">On Dec 17, 2015, at 9:06 AM, Hartmaier Alexander <<a href="mailto:alexander.hartmaier@t-systems.at" class="">alexander.hartmaier@t-systems.at</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div bgcolor="#FFFFFF" text="#000000" class="">Hi,<br class="">
sadly <span class="Apple-tab-span" style="white-space:pre"></span>HoldServerConnection doesn't work for Active Directory for us.<br class="">
Not sure if that's the source of your problem though.<br class="">
If you search the Global Catalog (3268 for LDAP and 3269 for LDAPS) you can't specify a BaseDN, leave it empty!<br class="">
Just<br class="">
BaseDN<br class="">
<br class="">
Best regards, Alex<br class="">
<br class="">
<div class="moz-cite-prefix">On 2015-12-15 18:18, Joe Honnold wrote:<br class="">
</div>
<blockquote cite="mid:ED5123F4-EF8D-4FBB-A5EA-3F74B29F4C0D@starkey.com" type="cite" class="">
Hi.
<div class=""><br class="">
</div>
<div class="">I am working towards a config that does AD authentication with the addition of OTP. I have started the AD config and have hit an issue that I can not seem to get around. </div>
<div class="">The log file states:</div>
<div class=""><br class="">
</div>
<blockquote style="margin: 0 0 0 40px; border: none; padding:
0px;" class="">
<div class="">
<div class="">Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: UserJ [UserJ]</div>
</div>
<div class=""><br class="">
</div>
</blockquote>
I have completed some research via the docs and internet searching but nothing has pointed me in the right direction yet.
<div class="">Any input towards a resolution would be appreciated as I need this to work prior to adding the OTP settings to the config.</div>
<div class=""><br class="">
</div>
<div class="">radius.cfg file</div>
<div class="">======</div>
<div class="">
<div class="">
<div class=""># ad-ldap.cfg</div>
<div class="">#</div>
<div class=""># Example Radiator configuration file for authenticating from</div>
<div class=""># Active Directory via LDAP2, possibly from a Unix host.</div>
<div class="">#</div>
<div class=""># This very simple file will allow you to get started with </div>
<div class=""># a simple LDAP authentication system from AD.</div>
<div class="">#</div>
<div class=""># We suggest you start simple, prove to yourself that it</div>
<div class=""># works and then develop a more complicated configuration.</div>
<div class="">#</div>
<div class="">#</div>
<div class=""># You should consider this file to be a starting point only</div>
<div class=""># $Id: ad-ldap.cfg,v 1.4 2015/06/02 19:37:27 hvn Exp $</div>
<div class=""><br class="">
</div>
<div class="">Foreground</div>
<div class="">LogStdout</div>
<div class="">LogDir<span class="Apple-tab-span" style="white-space:pre"> </span>
/var/log/radius</div>
<div class="">DbDir<span class="Apple-tab-span" style="white-space:pre"> </span>/etc/radiator</div>
<div class=""># User a lower trace level in production systems:</div>
<div class="">Trace <span class="Apple-tab-span" style="white-space:pre"></span>4</div>
<div class="">#</div>
<div class="">AuthPort<span class="Apple-tab-span" style="white-space:pre"> </span>
1645 </div>
<div class="">AcctPort<span class="Apple-tab-span" style="white-space:pre"> </span>
1646</div>
<div class=""><br class="">
</div>
<div class=""># You will probably want to add other Clients to suit your site.</div>
<div class=""><Client 10.0.0.8></div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Secret<span class="Apple-tab-span" style="white-space:pre">
</span>IMNOTTELLLING</div>
<div class=""></Client></div>
<div class=""><br class="">
</div>
<div class=""># Authenticates users in the Organisational Unit called 'csx users'</div>
<div class=""># The user name coming from the NAS must match the sAMAccountName</div>
<div class=""># attribute of a user in that OU./ Users that are not in 'csx users'</div>
<div class=""># will not be able to log in.</div>
<div class=""><Handler></div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><AuthBy LDAP2></div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Debug 255</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>NoDefault</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Host<span class="Apple-tab-span" style="white-space:pre">
</span>10.0.50.80 10.0.50.82</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span># Microsoft AD also listens on port 3268, and </div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span># requests received on that port are reported to be</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span># more compliant with standard LDAP, so you may want to use:</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Port 3268</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>AuthDN<span class="Apple-tab-span" style="white-space:pre">
</span>cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>AuthPassword<span class="Apple-tab-span" style="white-space:pre">
</span>PLAINTEXTPASSWORD</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>BaseDN<span class="Apple-tab-span" style="white-space:pre">
</span>DC=MS, DC=DOMAIN, DC=com</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ServerChecksPassword</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>UsernameAttr sAMAccountName</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>HoldServerConnection</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>FailureBackoffTime 0</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>AuthAttrDef logonHours,MS-Login-Hours,check</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span></AuthBy></div>
<div class=""></Handler></div>
</div>
</div>
<div class=""><br class="">
</div>
<div class="">======</div>
<div class=""><br class="">
</div>
<div class="">Cleansed log dump</div>
<div class="">======</div>
<div class="">
<div class="">Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:</div>
<div class="">*** Received from 10.0.100.8 port 58652 ....</div>
<div class="">Code: Access-Request</div>
<div class="">Identifier: 188</div>
<div class="">Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4></div>
<div class="">Attributes:</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>User-Name = "UserJ"</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Service-Type = Login-User</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>NAS-IP-Address = 10.0.100.8</div>
<div class=""><br class="">
</div>
<div class="">Tue Dec 15 10:34:24 2015: DEBUG: Handling request with Handler '', Identifier ''</div>
<div class="">Tue Dec 15 10:34:24 2015: DEBUG: Deleting session for UserJ, 10.0.100.8, </div>
<div class="">Tue Dec 15 10:34:24 2015: DEBUG: Handling with Radius::AuthLDAP2: </div>
<div class="">Tue Dec 15 10:34:24 2015: INFO: Connecting to 10.0.50.80:3268 10.0.50.82:3268</div>
<div class="">Tue Dec 15 10:34:24 2015: INFO: Connected to 10.0.50.80:3268</div>
<div class="">Tue Dec 15 10:34:24 2015: INFO: Attempting to bind to LDAP server 10.0.50.80:3268</div>
<div class="">Tue Dec 15 10:34:24 2015: DEBUG: LDAP got result for CN=Joe User,OU=Unit1,OU=Unit2,DC=ms,DC=domain,DC=com</div>
<div class="">Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 looks for match with UserJ [UserJ]</div>
<div class="">Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: UserJ [UserJ]</div>
<div class="">Tue Dec 15 10:34:24 2015: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted password</div>
<div class="">Tue Dec 15 10:34:24 2015: INFO: Access rejected for UserJ: Bad Encrypted password</div>
<div class="">Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:</div>
<div class="">*** Sending to 10.0.100.8 port 58652 ....</div>
<div class="">Code: Access-Reject</div>
<div class="">Identifier: 188</div>
<div class="">Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9</div>
<div class="">Attributes:</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Reply-Message = "Request Denied"</div>
<div class=""><br class="">
</div>
<div class="">Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:</div>
<div class="">*** Received from 10.0.100.8 port 58652 ....</div>
<div class="">Code: Access-Request</div>
<div class="">Identifier: 188</div>
<div class="">Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4></div>
<div class="">Attributes:</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>User-Name = "UserJ"</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Service-Type = Login-User</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>NAS-IP-Address = 10.0.100.8</div>
<div class=""><br class="">
</div>
<div class="">Tue Dec 15 10:34:29 2015: INFO: Duplicate request id 188 received from 10.0.100.8(58652): retransmit reply</div>
<div class="">Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:</div>
<div class="">*** Sending to 10.0.100.8 port 58652 ....</div>
<div class="">Code: Access-Reject</div>
<div class="">Identifier: 188</div>
<div class="">Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9</div>
<div class="">Attributes:</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Reply-Message = "Request Denied"</div>
<div class=""><br class="">
</div>
<div class="">Tue Dec 15 10:34:34 2015: DEBUG: Packet dump:</div>
<div class="">*** Received from 10.0.100.8 port 58652 ....</div>
<div class="">Code: Access-Request</div>
<div class="">Identifier: 188</div>
<div class="">Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4></div>
<div class="">Attributes:</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>User-Name = "UserJ"</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Service-Type = Login-User</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>NAS-IP-Address = 10.0.100.8</div>
<div class=""><br class="">
</div>
<div class="">Tue Dec 15 10:34:34 2015: INFO: Duplicate request id 188 received from 10.0.100.8(58652): retransmit reply</div>
<div class="">Tue Dec 15 10:34:34 2015: DEBUG: Packet dump:</div>
<div class="">*** Sending to 10.0.100.8 port 58652 ....</div>
<div class="">Code: Access-Reject</div>
<div class="">Identifier: 188</div>
<div class="">Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9</div>
<div class="">Attributes:</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Reply-Message = "Request Denied"</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset> <br class="">
<pre wrap="" class="">_______________________________________________
radiator mailing list
<a class="moz-txt-link-abbreviated" href="mailto:radiator@open.com.au">radiator@open.com.au</a>
<a class="moz-txt-link-freetext" href="http://www.open.com.au/mailman/listinfo/radiator">http://www.open.com.au/mailman/listinfo/radiator</a></pre>
</blockquote>
<br class="">
<br class="">
<font face="Verdana" color="Purple" size="2" class=""><br class="">
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*<br class="">
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien<br class="">
Handelsgericht Wien, FN 79340b<br class="">
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*<br class="">
Notice: This e-mail contains information that is confidential and may be privileged.<br class="">
If you are not the intended recipient, please notify the sender and then<br class="">
delete this e-mail immediately.<br class="">
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*<br class="">
</font></div>
_______________________________________________<br class="">
radiator mailing list<br class="">
<a href="mailto:radiator@open.com.au" class="">radiator@open.com.au</a><br class="">
http://www.open.com.au/mailman/listinfo/radiator</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</body>
</html>