Hello Bob - ServerChecksPassword with AD will only work for PAP authentication - it won't work for CHAP or any MSCHAP variants.
You will see in the trace 4 debug the packet dumps. regards Hugh On 14 Sep 2010, at 13:24, Bob Rotsted wrote: > Hugh, > > Below is the information you requested: > > Logs > ----------------------------------------- > Tue Sep 14 09:45:30 2010: NOTICE: SIGTERM received: stopping > Tue Sep 14 09:45:30 2010: DEBUG: Creating StreamServer tcp port 0.0.0.0:9048 > Tue Sep 14 09:45:30 2010: DEBUG: Finished reading configuration file > '/etc/radiator/radius.cfg' > Tue Sep 14 09:45:30 2010: DEBUG: Reading dictionary file > '/etc/radiator/dictionary' > Tue Sep 14 09:45:30 2010: DEBUG: Creating authentication port 0.0.0.0:1645 > Tue Sep 14 09:45:30 2010: DEBUG: Creating accounting port 0.0.0.0:1646 > Tue Sep 14 09:45:30 2010: NOTICE: Server started: Radiator 4.7 on x > > > Tue Sep 14 09:46:48 2010: DEBUG: Handling request with Handler > 'NAS-IP-Address=131.252.x.x', Identifier '' > Tue Sep 14 09:46:48 2010: DEBUG: Deleting session for user. 131.252.x.x, 59 > Tue Sep 14 09:46:48 2010: DEBUG: Handling with Radius::AuthLDAP2: > Tue Sep 14 09:46:48 2010: INFO: Connecting to 131.252.x.x:636 > Tue Sep 14 09:46:48 2010: INFO: Attempting to bind to LDAP server > 131.252.x.x:636 > Tue Sep 14 09:46:48 2010: DEBUG: LDAP got result for <dn> > Tue Sep 14 09:46:48 2010: DEBUG: LDAP got objectClass: top person > organizationalPerson user > Tue Sep 14 09:46:48 2010: DEBUG: LDAP got cn: user > Tue Sep 14 09:46:48 2010: DEBUG: LDAP got sn: user > Tue Sep 14 09:46:48 2010: DEBUG: LDAP got department: x > > (more LDAP spew) > > Tue Sep 14 09:46:48 2010: DEBUG: Radius::AuthLDAP2 looks for match with > user [user] > Tue Sep 14 09:46:48 2010: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted > password: user [user] > Tue Sep 14 09:46:48 2010: INFO: Connecting to 131.252.x.x:636 > Tue Sep 14 09:46:48 2010: INFO: Attempting to bind to LDAP server > 131.252.x.x:636 > Tue Sep 14 09:46:48 2010: DEBUG: No entries for DEFAULT found in LDAP > database > Tue Sep 14 09:46:48 2010: DEBUG: AuthBy LDAP2 result: REJECT, Bad > Encrypted password > Tue Sep 14 09:46:48 2010: INFO: Access rejected for user: Bad Encrypted > password > > Config > ----------------------------------------- > <Handler NAS-IP-Address=131.252.x.x> > <AuthBy LDAP2> > #define the host > Host 131.252.x.x > UseSSL > Version 3 > #define the port > Port 636 > Debug 255 > UsernameAttr sAMAccountName > ServerChecksPassword > AuthDN x > AuthPassword x > BaseDN dc=PSU, dc=X, dc=PDX, dc=EDU > SearchFilter (&(%0=%1)(x)) > AddToReply Class = ou=x; > </AuthBy> > > > <AuthBy LDAP2> > #define the host > Host 131.252.x.x > UseSSL > Version 3 > Port 636 > Debug 255 > UsernameAttr sAMAccountName > ServerChecksPassword > AuthDN x > AuthPassword x > BaseDN dc=PSU, dc=X, dc=PDX, dc=EDU > SearchFilter (&(%0=%1)(x)) > AddToReply Class = ou=y; > </AuthBy> > > </Handler> > > > > Thanks for your assistance! > > --bob > > > On 09/14/2010 10:44 AM, Hugh Irvine wrote: >> >> Hello Bob - >> >> We will need to see a copy of the configuration file and a more complete >> trace 4 debug showing the startup messages as well as what is happening with >> the requests. >> >> For the most flexibility I suggest the AuthBy clause on *NIX and the AuthBy >> LSA clause on Windows. >> >> regards >> >> Hugh >> >> >> On 14 Sep 2010, at 12:11, Bob Rotsted wrote: >> >>> Hi all, >>> >>> I'm attempting to use Authby LDAP2 to proxy authentication requests to >>> our active directory server with the "ServerChecksPassword" switch. >>> >>> Everything appears to be working correctly -- binding completes, etc -- >>> until the user's password is verified. When AD checks the user's >>> password, Authby LDAP2 throws the following errors: >>> >>> Tue Sep 14 09:46:48 2010: DEBUG: Radius::AuthLDAP2 looks for match with >>> user [user] >>> Tue Sep 14 09:46:48 2010: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted >>> password: user [user] >>> Tue Sep 14 09:46:48 2010: INFO: Connecting to 131.252.0.0:636 >>> Tue Sep 14 09:46:48 2010: INFO: Attempting to bind to LDAP server >>> 131.252.0.0:636 >>> Tue Sep 14 09:46:48 2010: DEBUG: No entries for DEFAULT found in LDAP >>> database >>> Tue Sep 14 09:46:48 2010: DEBUG: AuthBy LDAP2 result: REJECT, Bad >>> Encrypted password >>> Tue Sep 14 09:46:48 2010: INFO: Access rejected for user: Bad Encrypted >>> password >>> >>> My current configuration works on another server, perhaps my new server >>> is missing a library? Anyone else experiencing this issue? >>> >>> Best, >>> >>> -- >>> Bob Rotsted >>> >>> Network Security Analyst >>> Portland State University >>> Desk: 503-725-6215 >>> Cell: 503-208-6575 >>> 314B D581 A8CD E28A A690 7E9D 5B43 4B28 0EB6 A21A >>> _______________________________________________ >>> radiator mailing list >>> [email protected] >>> http://www.open.com.au/mailman/listinfo/radiator >> >> >> >> NB: >> >> Have you read the reference manual ("doc/ref.html")? >> Have you searched the mailing list archive >> (www.open.com.au/archives/radiator)? >> Have you had a quick look on Google (www.google.com)? >> Have you included a copy of your configuration file (no secrets), >> together with a trace 4 debug showing what is happening? >> NB: Have you read the reference manual ("doc/ref.html")? Have you searched the mailing list archive (www.open.com.au/archives/radiator)? Have you had a quick look on Google (www.google.com)? Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. Includes support for reliable RADIUS transport (RadSec), and DIAMETER translation agent. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
