Solved

How do I get Steel Belted Radius to check against a security group in Active Directory

Posted on 2009-06-30
4
1,153 Views
Last Modified: 2012-05-07
Hi Folks,

I was hoping you could point me in the right direction.  I am setting up a new dial up solution using a Steel Belted Radius (SBR) on a WIN2003 server and active directory.  At the momet I have everything working using native accouts with in SBR .  I would like to set this up where SBR will check against a security group in active directory were the accounts will be managed, and ensure the communication is encrypted.  

I was looking for guidance on what type of encryption I should be looking at as I have read that only certain types will work, only they didn't list the types.

Any help would be apprciated!

Thanks
0
Comment
Question by:goofball350
  • 2
  • 2
4 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 24754232
0
 

Author Comment

by:goofball350
ID: 24772261
I do agree that an IAS configuration, unfortunatly because there is a present soloution half implemented it's dosn't look like I will beable to go that direction.  Assuming that I can get this going.

I was able to locate the domine tab and and add my security group using a browse function (so it see's the domain), with users populated.  However when dialing in I am unable to authenticate with my domain account.  See debug below:

07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Authentication Request
07/02/2009 14:16:22 Received from: ip=NAS IP (removed for security reasons) port=**** (removed for security reasons)
07/02/2009 14:16:22
07/02/2009 14:16:22 Raw Packet :
07/02/2009 14:16:22 000: 01830083 fd7db83c 81b0707e 2f1096ad |.....}.<..p~/...|
07/02/2009 14:16:22 010: 31981db9 07060000 0001010c 74635c62 |1.......domain\d|
07/02/2009 14:16:22 020: 72697363 6f6e0313 01405a17 6abfa991 |riscom...@Z.j...|
07/02/2009 14:16:22 030: 7370b98a 5d0617fa 8f1f0c36 31333939 |sp..]......61399|
07/02/2009 14:16:22 040: 30353035 353d0600 0000001e 0c363133 |05055=.......613|
07/02/2009 14:16:22 050: 36383834 3030344d 1a343533 33332f32 |6884004M.45333/2|
07/02/2009 14:16:22 060: 34303030 20563930 2f563434 2f4c4150 |4000 V90/V44/LAP|
07/02/2009 14:16:22 070: 4d050600 0001fb06 06000000 0204068e |M...............|
07/02/2009 14:16:22 080: d2fc02                              |...             |
07/02/2009 14:16:22
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 E:\build\sbrnt\SBR\xradius\radauthd.c radAuthHandleRequest() 2563 Entering
07/02/2009 14:16:22 Looking up shared secret
07/02/2009 14:16:22 Looking for RAS client NAS IP (removed for security reasons) in DB
07/02/2009 14:16:22 Matched NAS IP (removed for security reasons) to RAS client CISCO
07/02/2009 14:16:22 Parsing request
07/02/2009 14:16:22 Initializing cache entry
07/02/2009 14:16:22 Doing inventory check on request
07/02/2009 14:16:22 Getting info on requesting client
07/02/2009 14:16:22 NAS-IP-Address in request: NAS IP (removed for security reasons)
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Authentication Request
07/02/2009 14:16:22 Received From: ip=NAS IP (removed for security reasons) port=**** (removed for security reasons)
07/02/2009 14:16:22 Packet : Code = 0x1 ID = 0x83
07/02/2009 14:16:22 Client Name = CISCO Dictionary Name = Radius.dct
07/02/2009 14:16:22 Vector =
07/02/2009 14:16:22 000: fd7db83c 81b0707e 2f1096ad 31981db9 |.}.<..p~/...1...|
07/02/2009 14:16:22 Parsed Packet =
07/02/2009 14:16:22 Framed-Protocol : Integer Value = 1
07/02/2009 14:16:22 User-Name : String Value = tc\driscom
07/02/2009 14:16:22 CHAP-Password : Value =
07/02/2009 14:16:22 000: 01405a17 6abfa991 7370b98a 5d0617fa |.@Z.j...sp..]...|
07/02/2009 14:16:22 010: 8f                                  |.               |
07/02/2009 14:16:22 Calling-Station-Id : String Value = 6139905055
07/02/2009 14:16:22 NAS-Port-Type : Integer Value = 0
07/02/2009 14:16:22 Called-Station-Id : String Value = 6136884004
07/02/2009 14:16:22 Connect-Info : String Value = 45333/24000 V90/V44/LAPM
07/02/2009 14:16:22 NAS-Port : Integer Value = 507
07/02/2009 14:16:22 Service-Type : Integer Value = 2
07/02/2009 14:16:22 NAS-IP-Address : IPAddress = NAS IP (removed for security reasons)
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Determining if request is for a tunnel
07/02/2009 14:16:22 Determining if this radius should act as a proxy
07/02/2009 14:16:22 Determining user class
07/02/2009 14:16:22 Authenticating user tc\driscom with authentication method Windows Domain Group
07/02/2009 14:16:22 Authenticating user tc\driscom with authentication method Windows Domain User
07/02/2009 14:16:22 Authenticating user TC\driscom with authentication method NT Domain Group
07/02/2009 14:16:22 Authenticating user TC\driscom with authentication method NT Domain User
07/02/2009 14:16:22 Authenticating user TC\driscom with authentication method Native User
07/02/2009 14:16:22 Unable to find user tc\driscom with matching password
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Authentication Response (reject)
07/02/2009 14:16:22 Packet : Code = 0x3 ID = 0x83
07/02/2009 14:16:22 Vector =
07/02/2009 14:16:22 000: c622968f 042c7335 d938e6c0 f0a10c31 |."...,s5.8.....1|
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Authentication Response (reject)
07/02/2009 14:16:22 Sent to: ip=NAS IP (removed for security reasons) port=**** (removed for security reasons)
07/02/2009 14:16:22
07/02/2009 14:16:22 Raw Packet :
07/02/2009 14:16:22 000: 03830014 c622968f 042c7335 d938e6c0 |....."...,s5.8..|
07/02/2009 14:16:22 010: f0a10c31                            |...1            |
07/02/2009 14:16:22
07/02/2009 14:16:22 -----------------------------------------------------------
07/02/2009 14:16:22 Packet containing 20 bytes successfully sent
07/02/2009 14:16:22 Sent reject response
07/02/2009 14:16:22 E:\build\sbrnt\SBR\xradius\radauthd.c radAuthHandleRequest() 3231 Exiting
07/02/2009 14:17:23 -----------------------------------------------------------



0
 
LVL 76

Expert Comment

by:arnold
ID: 24773178
The error seems to deal with the inability to locate the user with a matching password.
I think that would mean that the rejection is based on username/password.

Can you generate test auth-requests on the SBR?
What are the dial-up settings on the user's account?
What are the check items on the SBR configuration to grant access?
I.e. user/password, connection type, specific group membership, etc.?
0
 

Author Comment

by:goofball350
ID: 24978655
Sorry for the delay, I have convinced my management to move to IAS.  Look for posts soon for setting that up...lol  Thanks for the help.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Resolve DNS query failed errors for Exchange
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now