goofball350
asked on
How do I get Steel Belted Radius to check against a security group in Active Directory
Hi Folks,
I was hoping you could point me in the right direction. I am setting up a new dial up solution using a Steel Belted Radius (SBR) on a WIN2003 server and active directory. At the momet I have everything working using native accouts with in SBR . I would like to set this up where SBR will check against a security group in active directory were the accounts will be managed, and ensure the communication is encrypted.
I was looking for guidance on what type of encryption I should be looking at as I have read that only certain types will work, only they didn't list the types.
Any help would be apprciated!
Thanks
I was hoping you could point me in the right direction. I am setting up a new dial up solution using a Steel Belted Radius (SBR) on a WIN2003 server and active directory. At the momet I have everything working using native accouts with in SBR . I would like to set this up where SBR will check against a security group in active directory were the accounts will be managed, and ensure the communication is encrypted.
I was looking for guidance on what type of encryption I should be looking at as I have read that only certain types will work, only they didn't list the types.
Any help would be apprciated!
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The error seems to deal with the inability to locate the user with a matching password.
I think that would mean that the rejection is based on username/password.
Can you generate test auth-requests on the SBR?
What are the dial-up settings on the user's account?
What are the check items on the SBR configuration to grant access?
I.e. user/password, connection type, specific group membership, etc.?
I think that would mean that the rejection is based on username/password.
Can you generate test auth-requests on the SBR?
What are the dial-up settings on the user's account?
What are the check items on the SBR configuration to grant access?
I.e. user/password, connection type, specific group membership, etc.?
ASKER
Sorry for the delay, I have convinced my management to move to IAS. Look for posts soon for setting that up...lol Thanks for the help.
ASKER
I was able to locate the domine tab and and add my security group using a browse function (so it see's the domain), with users populated. However when dialing in I am unable to authenticate with my domain account. See debug below:
07/02/2009 14:16:22 --------------------------
07/02/2009 14:16:22 Authentication Request
07/02/2009 14:16:22 Received from: ip=NAS IP (removed for security reasons) port=**** (removed for security reasons)
07/02/2009 14:16:22
07/02/2009 14:16:22 Raw Packet :
07/02/2009 14:16:22 000: 01830083 fd7db83c 81b0707e 2f1096ad |.....}.<..p~/...|
07/02/2009 14:16:22 010: 31981db9 07060000 0001010c 74635c62 |1.......domain\d|
07/02/2009 14:16:22 020: 72697363 6f6e0313 01405a17 6abfa991 |riscom...@Z.j...|
07/02/2009 14:16:22 030: 7370b98a 5d0617fa 8f1f0c36 31333939 |sp..]......61399|
07/02/2009 14:16:22 040: 30353035 353d0600 0000001e 0c363133 |05055=.......613|
07/02/2009 14:16:22 050: 36383834 3030344d 1a343533 33332f32 |6884004M.45333/2|
07/02/2009 14:16:22 060: 34303030 20563930 2f563434 2f4c4150 |4000 V90/V44/LAP|
07/02/2009 14:16:22 070: 4d050600 0001fb06 06000000 0204068e |M...............|
07/02/2009 14:16:22 080: d2fc02 |... |
07/02/2009 14:16:22
07/02/2009 14:16:22 --------------------------
07/02/2009 14:16:22 E:\build\sbrnt\SBR\xradius
07/02/2009 14:16:22 Looking up shared secret
07/02/2009 14:16:22 Looking for RAS client NAS IP (removed for security reasons) in DB
07/02/2009 14:16:22 Matched NAS IP (removed for security reasons) to RAS client CISCO
07/02/2009 14:16:22 Parsing request
07/02/2009 14:16:22 Initializing cache entry
07/02/2009 14:16:22 Doing inventory check on request
07/02/2009 14:16:22 Getting info on requesting client
07/02/2009 14:16:22 NAS-IP-Address in request: NAS IP (removed for security reasons)
07/02/2009 14:16:22 --------------------------
07/02/2009 14:16:22 Authentication Request
07/02/2009 14:16:22 Received From: ip=NAS IP (removed for security reasons) port=**** (removed for security reasons)
07/02/2009 14:16:22 Packet : Code = 0x1 ID = 0x83
07/02/2009 14:16:22 Client Name = CISCO Dictionary Name = Radius.dct
07/02/2009 14:16:22 Vector =
07/02/2009 14:16:22 000: fd7db83c 81b0707e 2f1096ad 31981db9 |.}.<..p~/...1...|
07/02/2009 14:16:22 Parsed Packet =
07/02/2009 14:16:22 Framed-Protocol : Integer Value = 1
07/02/2009 14:16:22 User-Name : String Value = tc\driscom
07/02/2009 14:16:22 CHAP-Password : Value =
07/02/2009 14:16:22 000: 01405a17 6abfa991 7370b98a 5d0617fa |.@Z.j...sp..]...|
07/02/2009 14:16:22 010: 8f |. |
07/02/2009 14:16:22 Calling-Station-Id : String Value = 6139905055
07/02/2009 14:16:22 NAS-Port-Type : Integer Value = 0
07/02/2009 14:16:22 Called-Station-Id : String Value = 6136884004
07/02/2009 14:16:22 Connect-Info : String Value = 45333/24000 V90/V44/LAPM
07/02/2009 14:16:22 NAS-Port : Integer Value = 507
07/02/2009 14:16:22 Service-Type : Integer Value = 2
07/02/2009 14:16:22 NAS-IP-Address : IPAddress = NAS IP (removed for security reasons)
07/02/2009 14:16:22 --------------------------
07/02/2009 14:16:22 Determining if request is for a tunnel
07/02/2009 14:16:22 Determining if this radius should act as a proxy
07/02/2009 14:16:22 Determining user class
07/02/2009 14:16:22 Authenticating user tc\driscom with authentication method Windows Domain Group
07/02/2009 14:16:22 Authenticating user tc\driscom with authentication method Windows Domain User
07/02/2009 14:16:22 Authenticating user TC\driscom with authentication method NT Domain Group
07/02/2009 14:16:22 Authenticating user TC\driscom with authentication method NT Domain User
07/02/2009 14:16:22 Authenticating user TC\driscom with authentication method Native User
07/02/2009 14:16:22 Unable to find user tc\driscom with matching password
07/02/2009 14:16:22 --------------------------
07/02/2009 14:16:22 Authentication Response (reject)
07/02/2009 14:16:22 Packet : Code = 0x3 ID = 0x83
07/02/2009 14:16:22 Vector =
07/02/2009 14:16:22 000: c622968f 042c7335 d938e6c0 f0a10c31 |."...,s5.8.....1|
07/02/2009 14:16:22 --------------------------
07/02/2009 14:16:22 --------------------------
07/02/2009 14:16:22 Authentication Response (reject)
07/02/2009 14:16:22 Sent to: ip=NAS IP (removed for security reasons) port=**** (removed for security reasons)
07/02/2009 14:16:22
07/02/2009 14:16:22 Raw Packet :
07/02/2009 14:16:22 000: 03830014 c622968f 042c7335 d938e6c0 |....."...,s5.8..|
07/02/2009 14:16:22 010: f0a10c31 |...1 |
07/02/2009 14:16:22
07/02/2009 14:16:22 --------------------------
07/02/2009 14:16:22 Packet containing 20 bytes successfully sent
07/02/2009 14:16:22 Sent reject response
07/02/2009 14:16:22 E:\build\sbrnt\SBR\xradius
07/02/2009 14:17:23 --------------------------