Hi. I am working towards a config that does AD authentication with the addition of OTP. I have started the AD config and have hit an issue that I can not seem to get around. The log file states:
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: UserJ [UserJ] I have completed some research via the docs and internet searching but nothing has pointed me in the right direction yet. Any input towards a resolution would be appreciated as I need this to work prior to adding the OTP settings to the config. radius.cfg file ====== # ad-ldap.cfg # # Example Radiator configuration file for authenticating from # Active Directory via LDAP2, possibly from a Unix host. # # This very simple file will allow you to get started with # a simple LDAP authentication system from AD. # # We suggest you start simple, prove to yourself that it # works and then develop a more complicated configuration. # # # You should consider this file to be a starting point only # $Id: ad-ldap.cfg,v 1.4 2015/06/02 19:37:27 hvn Exp $ Foreground LogStdout LogDir /var/log/radius DbDir /etc/radiator # User a lower trace level in production systems: Trace 4 # AuthPort 1645 AcctPort 1646 # You will probably want to add other Clients to suit your site. <Client 10.0.0.8> Secret IMNOTTELLLING </Client> # Authenticates users in the Organisational Unit called 'csx users' # The user name coming from the NAS must match the sAMAccountName # attribute of a user in that OU./ Users that are not in 'csx users' # will not be able to log in. <Handler> <AuthBy LDAP2> Debug 255 NoDefault Host 10.0.50.80 10.0.50.82 # Microsoft AD also listens on port 3268, and # requests received on that port are reported to be # more compliant with standard LDAP, so you may want to use: Port 3268 AuthDN cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM AuthPassword PLAINTEXTPASSWORD BaseDN DC=MS, DC=DOMAIN, DC=com ServerChecksPassword UsernameAttr sAMAccountName HoldServerConnection FailureBackoffTime 0 AuthAttrDef logonHours,MS-Login-Hours,check </AuthBy> </Handler> ====== Cleansed log dump ====== Tue Dec 15 10:34:24 2015: DEBUG: Packet dump: *** Received from 10.0.100.8 port 58652 .... Code: Access-Request Identifier: 188 Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4> Attributes: User-Name = "UserJ" User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ Service-Type = Login-User NAS-IP-Address = 10.0.100.8 Tue Dec 15 10:34:24 2015: DEBUG: Handling request with Handler '', Identifier '' Tue Dec 15 10:34:24 2015: DEBUG: Deleting session for UserJ, 10.0.100.8, Tue Dec 15 10:34:24 2015: DEBUG: Handling with Radius::AuthLDAP2: Tue Dec 15 10:34:24 2015: INFO: Connecting to 10.0.50.80:3268 10.0.50.82:3268 Tue Dec 15 10:34:24 2015: INFO: Connected to 10.0.50.80:3268 Tue Dec 15 10:34:24 2015: INFO: Attempting to bind to LDAP server 10.0.50.80:3268 Tue Dec 15 10:34:24 2015: DEBUG: LDAP got result for CN=Joe User,OU=Unit1,OU=Unit2,DC=ms,DC=domain,DC=com Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 looks for match with UserJ [UserJ] Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: UserJ [UserJ] Tue Dec 15 10:34:24 2015: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted password Tue Dec 15 10:34:24 2015: INFO: Access rejected for UserJ: Bad Encrypted password Tue Dec 15 10:34:24 2015: DEBUG: Packet dump: *** Sending to 10.0.100.8 port 58652 .... Code: Access-Reject Identifier: 188 Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9 Attributes: Reply-Message = "Request Denied" Tue Dec 15 10:34:29 2015: DEBUG: Packet dump: *** Received from 10.0.100.8 port 58652 .... Code: Access-Request Identifier: 188 Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4> Attributes: User-Name = "UserJ" User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ Service-Type = Login-User NAS-IP-Address = 10.0.100.8 Tue Dec 15 10:34:29 2015: INFO: Duplicate request id 188 received from 10.0.100.8(58652): retransmit reply Tue Dec 15 10:34:29 2015: DEBUG: Packet dump: *** Sending to 10.0.100.8 port 58652 .... Code: Access-Reject Identifier: 188 Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9 Attributes: Reply-Message = "Request Denied" Tue Dec 15 10:34:34 2015: DEBUG: Packet dump: *** Received from 10.0.100.8 port 58652 .... Code: Access-Request Identifier: 188 Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4> Attributes: User-Name = "UserJ" User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ Service-Type = Login-User NAS-IP-Address = 10.0.100.8 Tue Dec 15 10:34:34 2015: INFO: Duplicate request id 188 received from 10.0.100.8(58652): retransmit reply Tue Dec 15 10:34:34 2015: DEBUG: Packet dump: *** Sending to 10.0.100.8 port 58652 .... Code: Access-Reject Identifier: 188 Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9 Attributes: Reply-Message = "Request Denied"
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
