• February 24, 2018, 01:28:13 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Problems getting Radius to talk to AD correctly  (Read 557 times)

0 Members and 1 Guest are viewing this topic.

Offline jcoehoorn

  • Jr. Member
  • **
  • Posts: 39
Problems getting Radius to talk to AD correctly
« on: February 14, 2017, 11:52:13 AM »
Running 5.8.2 on an RFS4010. I'm trying to setup the onboard radius service to let me authenticate via Active Directory. I'm following the Wing5.x How-To guide for AD authentication published on michaelfmcnamara.com (thx :D)

So far, I have a radius policy defined, and I can get it to let a test user log in, but only with a few caveats:

1. I can't get encrypted communications to work between AD and Wing. It only works if I leave the ldap port at 389 and don't use start-tls or tls-mode. I really want this traffic to be encrypted, but I have idea what I'm doing wrong.

2. It only accepts the password for my test user if I put in a custom attribute for the passwd-attr field other than the UserPasssword mentioned in the guide, and then store the password in that attribute. If I do this, authentication will validate the password entered when connected vs whatever I have stored here. It's one thing to use reversible encryption for the ldap agent account, but it is another thing entirely and not at all okay to update all my end users to store their passwords this way.

3. This is less important, but ultimately I'd like the user to enter their UPN name instead of the sAmAccountName, and I'm having trouble getting the correct ldap string. I'll probably get this working on my own eventually, but if someone just knows what it should look like, it would save me a ton of time in trial and error.

Any ideas how to get around these problems?
« Last Edit: February 14, 2017, 11:56:06 AM by jcoehoorn »


Offline jcoehoorn

  • Jr. Member
  • **
  • Posts: 39
Re: Problems getting Radius to talk to AD correctly
« Reply #1 on: February 14, 2017, 12:23:01 PM »
Okay... UserPrincipalName works. (It was actually a pretty easy change).

From the guide, this:

(sAmAcountName=%{Stripped-User-Name:-%{User-Name}})

becomes this:

(userPrincipalName=%{Stripped-User-Name:-%{User-Name}})

Still need help with the other stuff. Looking at some accounts in AD Users and Computers, the userPassword, unixUserPassword, and unicodePwd attributes all show up as "<not set>".