?
Solved

How do I get Steel Belted Radius to check against a security group in Active Directory

Posted on 2009-06-30
4
Medium Priority
?
1,188 Views
Last Modified: 2012-05-07
Hi Folks,

I was hoping you could point me in the right direction.  I am setting up a new dial up solution using a Steel Belted Radius (SBR) on a WIN2003 server and active directory.  At the momet I have everything working using native accouts with in SBR .  I would like to set this up where SBR will check against a security group in active directory were the accounts will be managed, and ensure the communication is encrypted.  

I was looking for guidance on what type of encryption I should be looking at as I have read that only certain types will work, only they didn't list the types.

Any help would be apprciated!

Thanks
0
Comment
Question by:goofball350
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
arnold earned 2000 total points
ID: 24754232
0
 

Author Comment

by:goofball350
ID: 24772261
I do agree that an IAS configuration, unfortunatly because there is a present soloution half implemented it's dosn't look like I will beable to go that direction.  Assuming that I can get this going.

I was able to locate the domine tab and and add my security group using a browse function (so it see's the domain), with users populated.  However when dialing in I am unable to authenticate with my domain account.  See debug below:

07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Authentication Request
07/02/2009 14:16:22 Received from: ip=NAS IP (removed for security reasons) port=**** (removed for security reasons)
07/02/2009 14:16:22
07/02/2009 14:16:22 Raw Packet :
07/02/2009 14:16:22 000: 01830083 fd7db83c 81b0707e 2f1096ad |.....}.<..p~/...|
07/02/2009 14:16:22 010: 31981db9 07060000 0001010c 74635c62 |1.......domain\d|
07/02/2009 14:16:22 020: 72697363 6f6e0313 01405a17 6abfa991 |riscom...@Z.j...|
07/02/2009 14:16:22 030: 7370b98a 5d0617fa 8f1f0c36 31333939 |sp..]......61399|
07/02/2009 14:16:22 040: 30353035 353d0600 0000001e 0c363133 |05055=.......613|
07/02/2009 14:16:22 050: 36383834 3030344d 1a343533 33332f32 |6884004M.45333/2|
07/02/2009 14:16:22 060: 34303030 20563930 2f563434 2f4c4150 |4000 V90/V44/LAP|
07/02/2009 14:16:22 070: 4d050600 0001fb06 06000000 0204068e |M...............|
07/02/2009 14:16:22 080: d2fc02                              |...             |
07/02/2009 14:16:22
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 E:\build\sbrnt\SBR\xradius\radauthd.c radAuthHandleRequest() 2563 Entering
07/02/2009 14:16:22 Looking up shared secret
07/02/2009 14:16:22 Looking for RAS client NAS IP (removed for security reasons) in DB
07/02/2009 14:16:22 Matched NAS IP (removed for security reasons) to RAS client CISCO
07/02/2009 14:16:22 Parsing request
07/02/2009 14:16:22 Initializing cache entry
07/02/2009 14:16:22 Doing inventory check on request
07/02/2009 14:16:22 Getting info on requesting client
07/02/2009 14:16:22 NAS-IP-Address in request: NAS IP (removed for security reasons)
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Authentication Request
07/02/2009 14:16:22 Received From: ip=NAS IP (removed for security reasons) port=**** (removed for security reasons)
07/02/2009 14:16:22 Packet : Code = 0x1 ID = 0x83
07/02/2009 14:16:22 Client Name = CISCO Dictionary Name = Radius.dct
07/02/2009 14:16:22 Vector =
07/02/2009 14:16:22 000: fd7db83c 81b0707e 2f1096ad 31981db9 |.}.<..p~/...1...|
07/02/2009 14:16:22 Parsed Packet =
07/02/2009 14:16:22 Framed-Protocol : Integer Value = 1
07/02/2009 14:16:22 User-Name : String Value = tc\driscom
07/02/2009 14:16:22 CHAP-Password : Value =
07/02/2009 14:16:22 000: 01405a17 6abfa991 7370b98a 5d0617fa |.@Z.j...sp..]...|
07/02/2009 14:16:22 010: 8f                                  |.               |
07/02/2009 14:16:22 Calling-Station-Id : String Value = 6139905055
07/02/2009 14:16:22 NAS-Port-Type : Integer Value = 0
07/02/2009 14:16:22 Called-Station-Id : String Value = 6136884004
07/02/2009 14:16:22 Connect-Info : String Value = 45333/24000 V90/V44/LAPM
07/02/2009 14:16:22 NAS-Port : Integer Value = 507
07/02/2009 14:16:22 Service-Type : Integer Value = 2
07/02/2009 14:16:22 NAS-IP-Address : IPAddress = NAS IP (removed for security reasons)
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Determining if request is for a tunnel
07/02/2009 14:16:22 Determining if this radius should act as a proxy
07/02/2009 14:16:22 Determining user class
07/02/2009 14:16:22 Authenticating user tc\driscom with authentication method Windows Domain Group
07/02/2009 14:16:22 Authenticating user tc\driscom with authentication method Windows Domain User
07/02/2009 14:16:22 Authenticating user TC\driscom with authentication method NT Domain Group
07/02/2009 14:16:22 Authenticating user TC\driscom with authentication method NT Domain User
07/02/2009 14:16:22 Authenticating user TC\driscom with authentication method Native User
07/02/2009 14:16:22 Unable to find user tc\driscom with matching password
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Authentication Response (reject)
07/02/2009 14:16:22 Packet : Code = 0x3 ID = 0x83
07/02/2009 14:16:22 Vector =
07/02/2009 14:16:22 000: c622968f 042c7335 d938e6c0 f0a10c31 |."...,s5.8.....1|
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Authentication Response (reject)
07/02/2009 14:16:22 Sent to: ip=NAS IP (removed for security reasons) port=**** (removed for security reasons)
07/02/2009 14:16:22
07/02/2009 14:16:22 Raw Packet :
07/02/2009 14:16:22 000: 03830014 c622968f 042c7335 d938e6c0 |....."...,s5.8..|
07/02/2009 14:16:22 010: f0a10c31                            |...1            |
07/02/2009 14:16:22
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Packet containing 20 bytes successfully sent
07/02/2009 14:16:22 Sent reject response
07/02/2009 14:16:22 E:\build\sbrnt\SBR\xradius\radauthd.c radAuthHandleRequest() 3231 Exiting
07/02/2009 14:17:23 -----------------------------------------------------------



0
 
LVL 79

Expert Comment

by:arnold
ID: 24773178
The error seems to deal with the inability to locate the user with a matching password.
I think that would mean that the rejection is based on username/password.

Can you generate test auth-requests on the SBR?
What are the dial-up settings on the user's account?
What are the check items on the SBR configuration to grant access?
I.e. user/password, connection type, specific group membership, etc.?
0
 

Author Comment

by:goofball350
ID: 24978655
Sorry for the delay, I have convinced my management to move to IAS.  Look for posts soon for setting that up...lol  Thanks for the help.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question