Got it all sorted. Thanks for the pointers. Here is what my working config for AD looks like.
Foreground LogStdout LogDir /var/log/radius DbDir /etc/radiator # User a lower trace level in production systems: Trace 4 # AuthPort 1645 AcctPort 1646 <Client 10.0.0.8> Secret IMNOTTELLLING </Client> <Handler> <AuthBy LDAP2> Debug 255 NoDefault Host 10.0.50.80 10.0.50.82 # Microsoft AD also listens on port 3268, and # requests received on that port are reported to be # more compliant with standard LDAP, so you may want to use: Port 3268 AuthDN cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM AuthPassword PLAINTEXTPASSWORD BaseDN PasswordAttr ServerChecksPassword UsernameAttr sAMAccountName HoldServerConnection FailureBackoffTime 0 AuthAttrDef MobileNumber,Callback-Number,request </AuthBy> </Handler> On Dec 17, 2015, at 9:06 AM, Hartmaier Alexander <alexander.hartma...@t-systems.at<mailto:alexander.hartma...@t-systems.at>> wrote: Hi, sadly HoldServerConnection doesn't work for Active Directory for us. Not sure if that's the source of your problem though. If you search the Global Catalog (3268 for LDAP and 3269 for LDAPS) you can't specify a BaseDN, leave it empty! Just BaseDN Best regards, Alex On 2015-12-15 18:18, Joe Honnold wrote: Hi. I am working towards a config that does AD authentication with the addition of OTP. I have started the AD config and have hit an issue that I can not seem to get around. The log file states: Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: UserJ [UserJ] I have completed some research via the docs and internet searching but nothing has pointed me in the right direction yet. Any input towards a resolution would be appreciated as I need this to work prior to adding the OTP settings to the config. radius.cfg file ====== # ad-ldap.cfg # # Example Radiator configuration file for authenticating from # Active Directory via LDAP2, possibly from a Unix host. # # This very simple file will allow you to get started with # a simple LDAP authentication system from AD. # # We suggest you start simple, prove to yourself that it # works and then develop a more complicated configuration. # # # You should consider this file to be a starting point only # $Id: ad-ldap.cfg,v 1.4 2015/06/02 19:37:27 hvn Exp $ Foreground LogStdout LogDir /var/log/radius DbDir /etc/radiator # User a lower trace level in production systems: Trace 4 # AuthPort 1645 AcctPort 1646 # You will probably want to add other Clients to suit your site. <Client 10.0.0.8> Secret IMNOTTELLLING </Client> # Authenticates users in the Organisational Unit called 'csx users' # The user name coming from the NAS must match the sAMAccountName # attribute of a user in that OU./ Users that are not in 'csx users' # will not be able to log in. <Handler> <AuthBy LDAP2> Debug 255 NoDefault Host 10.0.50.80 10.0.50.82 # Microsoft AD also listens on port 3268, and # requests received on that port are reported to be # more compliant with standard LDAP, so you may want to use: Port 3268 AuthDN cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM AuthPassword PLAINTEXTPASSWORD BaseDN DC=MS, DC=DOMAIN, DC=com ServerChecksPassword UsernameAttr sAMAccountName HoldServerConnection FailureBackoffTime 0 AuthAttrDef logonHours,MS-Login-Hours,check </AuthBy> </Handler> ====== Cleansed log dump ====== Tue Dec 15 10:34:24 2015: DEBUG: Packet dump: *** Received from 10.0.100.8 port 58652 .... Code: Access-Request Identifier: 188 Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4> Attributes: User-Name = "UserJ" User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ Service-Type = Login-User NAS-IP-Address = 10.0.100.8 Tue Dec 15 10:34:24 2015: DEBUG: Handling request with Handler '', Identifier '' Tue Dec 15 10:34:24 2015: DEBUG: Deleting session for UserJ, 10.0.100.8, Tue Dec 15 10:34:24 2015: DEBUG: Handling with Radius::AuthLDAP2: Tue Dec 15 10:34:24 2015: INFO: Connecting to 10.0.50.80:3268 10.0.50.82:3268 Tue Dec 15 10:34:24 2015: INFO: Connected to 10.0.50.80:3268 Tue Dec 15 10:34:24 2015: INFO: Attempting to bind to LDAP server 10.0.50.80:3268 Tue Dec 15 10:34:24 2015: DEBUG: LDAP got result for CN=Joe User,OU=Unit1,OU=Unit2,DC=ms,DC=domain,DC=com Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 looks for match with UserJ [UserJ] Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: UserJ [UserJ] Tue Dec 15 10:34:24 2015: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted password Tue Dec 15 10:34:24 2015: INFO: Access rejected for UserJ: Bad Encrypted password Tue Dec 15 10:34:24 2015: DEBUG: Packet dump: *** Sending to 10.0.100.8 port 58652 .... Code: Access-Reject Identifier: 188 Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9 Attributes: Reply-Message = "Request Denied" Tue Dec 15 10:34:29 2015: DEBUG: Packet dump: *** Received from 10.0.100.8 port 58652 .... Code: Access-Request Identifier: 188 Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4> Attributes: User-Name = "UserJ" User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ Service-Type = Login-User NAS-IP-Address = 10.0.100.8 Tue Dec 15 10:34:29 2015: INFO: Duplicate request id 188 received from 10.0.100.8(58652): retransmit reply Tue Dec 15 10:34:29 2015: DEBUG: Packet dump: *** Sending to 10.0.100.8 port 58652 .... Code: Access-Reject Identifier: 188 Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9 Attributes: Reply-Message = "Request Denied" Tue Dec 15 10:34:34 2015: DEBUG: Packet dump: *** Received from 10.0.100.8 port 58652 .... Code: Access-Request Identifier: 188 Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4> Attributes: User-Name = "UserJ" User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ Service-Type = Login-User NAS-IP-Address = 10.0.100.8 Tue Dec 15 10:34:34 2015: INFO: Duplicate request id 188 received from 10.0.100.8(58652): retransmit reply Tue Dec 15 10:34:34 2015: DEBUG: Packet dump: *** Sending to 10.0.100.8 port 58652 .... Code: Access-Reject Identifier: 188 Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9 Attributes: Reply-Message = "Request Denied" _______________________________________________ radiator mailing list radiator@open.com.au<mailto:radiator@open.com.au> http://www.open.com.au/mailman/listinfo/radiator *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* _______________________________________________ radiator mailing list radiator@open.com.au<mailto:radiator@open.com.au> http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
