Solved

How do I get Steel Belted Radius to check against a security group in Active Directory

Posted on 2009-06-30
4
1,166 Views
Last Modified: 2012-05-07
Hi Folks,

I was hoping you could point me in the right direction.  I am setting up a new dial up solution using a Steel Belted Radius (SBR) on a WIN2003 server and active directory.  At the momet I have everything working using native accouts with in SBR .  I would like to set this up where SBR will check against a security group in active directory were the accounts will be managed, and ensure the communication is encrypted.  

I was looking for guidance on what type of encryption I should be looking at as I have read that only certain types will work, only they didn't list the types.

Any help would be apprciated!

Thanks
0
Comment
Question by:goofball350
  • 2
  • 2
4 Comments
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 24754232
0
 

Author Comment

by:goofball350
ID: 24772261
I do agree that an IAS configuration, unfortunatly because there is a present soloution half implemented it's dosn't look like I will beable to go that direction.  Assuming that I can get this going.

I was able to locate the domine tab and and add my security group using a browse function (so it see's the domain), with users populated.  However when dialing in I am unable to authenticate with my domain account.  See debug below:

07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Authentication Request
07/02/2009 14:16:22 Received from: ip=NAS IP (removed for security reasons) port=**** (removed for security reasons)
07/02/2009 14:16:22
07/02/2009 14:16:22 Raw Packet :
07/02/2009 14:16:22 000: 01830083 fd7db83c 81b0707e 2f1096ad |.....}.<..p~/...|
07/02/2009 14:16:22 010: 31981db9 07060000 0001010c 74635c62 |1.......domain\d|
07/02/2009 14:16:22 020: 72697363 6f6e0313 01405a17 6abfa991 |riscom...@Z.j...|
07/02/2009 14:16:22 030: 7370b98a 5d0617fa 8f1f0c36 31333939 |sp..]......61399|
07/02/2009 14:16:22 040: 30353035 353d0600 0000001e 0c363133 |05055=.......613|
07/02/2009 14:16:22 050: 36383834 3030344d 1a343533 33332f32 |6884004M.45333/2|
07/02/2009 14:16:22 060: 34303030 20563930 2f563434 2f4c4150 |4000 V90/V44/LAP|
07/02/2009 14:16:22 070: 4d050600 0001fb06 06000000 0204068e |M...............|
07/02/2009 14:16:22 080: d2fc02                              |...             |
07/02/2009 14:16:22
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 E:\build\sbrnt\SBR\xradius\radauthd.c radAuthHandleRequest() 2563 Entering
07/02/2009 14:16:22 Looking up shared secret
07/02/2009 14:16:22 Looking for RAS client NAS IP (removed for security reasons) in DB
07/02/2009 14:16:22 Matched NAS IP (removed for security reasons) to RAS client CISCO
07/02/2009 14:16:22 Parsing request
07/02/2009 14:16:22 Initializing cache entry
07/02/2009 14:16:22 Doing inventory check on request
07/02/2009 14:16:22 Getting info on requesting client
07/02/2009 14:16:22 NAS-IP-Address in request: NAS IP (removed for security reasons)
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Authentication Request
07/02/2009 14:16:22 Received From: ip=NAS IP (removed for security reasons) port=**** (removed for security reasons)
07/02/2009 14:16:22 Packet : Code = 0x1 ID = 0x83
07/02/2009 14:16:22 Client Name = CISCO Dictionary Name = Radius.dct
07/02/2009 14:16:22 Vector =
07/02/2009 14:16:22 000: fd7db83c 81b0707e 2f1096ad 31981db9 |.}.<..p~/...1...|
07/02/2009 14:16:22 Parsed Packet =
07/02/2009 14:16:22 Framed-Protocol : Integer Value = 1
07/02/2009 14:16:22 User-Name : String Value = tc\driscom
07/02/2009 14:16:22 CHAP-Password : Value =
07/02/2009 14:16:22 000: 01405a17 6abfa991 7370b98a 5d0617fa |.@Z.j...sp..]...|
07/02/2009 14:16:22 010: 8f                                  |.               |
07/02/2009 14:16:22 Calling-Station-Id : String Value = 6139905055
07/02/2009 14:16:22 NAS-Port-Type : Integer Value = 0
07/02/2009 14:16:22 Called-Station-Id : String Value = 6136884004
07/02/2009 14:16:22 Connect-Info : String Value = 45333/24000 V90/V44/LAPM
07/02/2009 14:16:22 NAS-Port : Integer Value = 507
07/02/2009 14:16:22 Service-Type : Integer Value = 2
07/02/2009 14:16:22 NAS-IP-Address : IPAddress = NAS IP (removed for security reasons)
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Determining if request is for a tunnel
07/02/2009 14:16:22 Determining if this radius should act as a proxy
07/02/2009 14:16:22 Determining user class
07/02/2009 14:16:22 Authenticating user tc\driscom with authentication method Windows Domain Group
07/02/2009 14:16:22 Authenticating user tc\driscom with authentication method Windows Domain User
07/02/2009 14:16:22 Authenticating user TC\driscom with authentication method NT Domain Group
07/02/2009 14:16:22 Authenticating user TC\driscom with authentication method NT Domain User
07/02/2009 14:16:22 Authenticating user TC\driscom with authentication method Native User
07/02/2009 14:16:22 Unable to find user tc\driscom with matching password
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Authentication Response (reject)
07/02/2009 14:16:22 Packet : Code = 0x3 ID = 0x83
07/02/2009 14:16:22 Vector =
07/02/2009 14:16:22 000: c622968f 042c7335 d938e6c0 f0a10c31 |."...,s5.8.....1|
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Authentication Response (reject)
07/02/2009 14:16:22 Sent to: ip=NAS IP (removed for security reasons) port=**** (removed for security reasons)
07/02/2009 14:16:22
07/02/2009 14:16:22 Raw Packet :
07/02/2009 14:16:22 000: 03830014 c622968f 042c7335 d938e6c0 |....."...,s5.8..|
07/02/2009 14:16:22 010: f0a10c31                            |...1            |
07/02/2009 14:16:22
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Packet containing 20 bytes successfully sent
07/02/2009 14:16:22 Sent reject response
07/02/2009 14:16:22 E:\build\sbrnt\SBR\xradius\radauthd.c radAuthHandleRequest() 3231 Exiting
07/02/2009 14:17:23 -----------------------------------------------------------



0
 
LVL 78

Expert Comment

by:arnold
ID: 24773178
The error seems to deal with the inability to locate the user with a matching password.
I think that would mean that the rejection is based on username/password.

Can you generate test auth-requests on the SBR?
What are the dial-up settings on the user's account?
What are the check items on the SBR configuration to grant access?
I.e. user/password, connection type, specific group membership, etc.?
0
 

Author Comment

by:goofball350
ID: 24978655
Sorry for the delay, I have convinced my management to move to IAS.  Look for posts soon for setting that up...lol  Thanks for the help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question