Reset Search
 

 

Article

KB17484 - [SBR]Unable to authenticate through SBR Enterprise when enabling PrequalifyChecklist and configuring appropriate check list attributes for the Windows domain users

« Go Back

Information

 
Last Modified Date7/31/2015 7:04 PM
Synopsis
Unable to authenticate through SBR Enterprise when enabling PrequalifyChecklist and configuring appropriate check list attributes for the Windows domain users.
Problem or Goal

I enabled PrequalifyChecklist in the WINAUTH.AUT file, restarted the Steel-Belted Radius service, and configured the Windows Domain users in SBR Administrator with the Check list attributes. However, when a specific end user attempts to authenticate, the logs display:

05/31/2010 19:26:43 Unable to find user <username> with matching password

05/31/2010 19:26:43 -----------------------------------------------------------
05/31/2010 19:26:43 Authentication Response (reject)

Cause
Solution
Take another look at the authentication log for that specific authentication. In the example below, let's say we configured the NAS-IP-Address attribute in our Check list. The error log would display something like:

05/31/2010 19:26:43 -----------------------------------------------------------
05/31/2010 19:26:43 Determining if request is for a tunnel
05/31/2010 19:26:43 Determining if this radius should act as a proxy
05/31/2010 19:26:43 Determining user class
05/31/2010 19:26:43 Authenticating user azapata with authentication method Windows Domain User
05/31/2010 19:26:43 Missing checklist attribute NAS-IP-Address for user \\PFUNK\azapata
05/31/2010 19:26:43 Unable to find user azapata with matching password


So far SBR is telling us that there's a missing checklist attribute. After verifying that you configured that specific Check list attribute for that user in SBR Administrator, take another look at the log. This time focus on the Authentication Request (Also, known as "Access-Request") section:

05/31/2010 19:26:43 -----------------------------------------------------------
05/31/2010 19:26:43 Authentication Request
05/31/2010 19:26:43 Received From: ip=172.18.65.95 port=4571
05/31/2010 19:26:43 Packet : Code = 0x1 ID = 0x1
05/31/2010 19:26:43 Client Name = PRUEBA Dictionary Name = Radius.dct
05/31/2010 19:26:43 Vector =
05/31/2010 19:26:43 000: 8ec028a7 fac19840 b24c235d 62698166 |..(....@.L#]bi.f|
05/31/2010 19:26:43 Parsed Packet =
05/31/2010 19:26:43 User-Name : String Value = azapata
05/31/2010 19:26:43 User-Password : Value =
05/31/2010 19:26:43 000: 99d2fedf c476c05a d8b2510a b4809e9f |.....v.Z..Q.....|
05/31/2010 19:26:43 NAS-Port : Integer Value = 1
05/31/2010 19:26:43 NAS-Port-Type : Integer Value = 2
05/31/2010 19:26:43 Calling-Station-Id : String Value = 61435652914
05/31/2010 19:26:43 Called-Station-Id : String Value = RAMDOM


In a nutshell, a Check list attribute is something that SBR will check in the Authentication Request packet. The Authentication Request information is what the device acting as RADIUS Client sends to SBR. In the log above, we noticed that the device acting as RADIUS client did not send NAS-IP-Address in the authentication request packet. Therefore SBR Enterprise rejected access for that user because it failed the Check list attribute.

If you are unable to configure your device to send that specific attribute you are looking for, there's an option in SBR Enterprise to work-around this issue. In the SBR Administrator, load the section where you configure the Check list attributes. Notice that there's an option called "Default". When enabling this option in your Check list attributes editor, you are telling SBR Enterprise, in other words, to ignore the fact that the NAS-IP-Address attribute is not present in the Authentication Request packet.

This option is useful when more than one RADIUS client is configured and when more than one Check list attribute is configured.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255