Reset Search
 

 

Article

KB18179 - Steel-Belted Radius (SBR) Enterprise doesn't establish connectivity to some LDAP servers over an encrypted connection.

« Go Back

Information

 
Last Modified Date8/1/2015 11:37 PM
Synopsis

This article explains why Steel-Belted Radius (SBR) Enterprise may not establish connectivity to some LDAP servers over an encrypted connection, even though SBR Enterprise may connect to some of them.

Problem or Goal

Example Scenario

An LDAP Authentication Header (.aut) file includes multiple LDAP servers configured under the [Server/Name], [Server] section.

Each server is holding a server certificate that was signed by a different Certification Authority.

[Settings]

SSL=1

Certificates= <path to the certificate files>

[Server]
s1=
s2=
s3=

[Server/s1]
Host=192.168.100.253
Port = 636

[Server/s2]
Host=192.168.100.252
Port = 636

[Server/s3]
Host=192.168.100.251
Port = 3269

This situation could generate the following kind of error message in the Steel-Belted Radius Enterprise server log:

 

(81: Can't contact LDAP server)

Cause

Each server is holding a server certificate that was signed by a different Certification Authority.

Solution

To resolve this situation, perform the procedure below on every LDAP server which has a server certificate that was issued by a different Certification Authority.

  1. Remove the existing LDAP Authentication Header (.aut) file.

  2. Generate new cert7.db and key3.db files.

  3. Create and configure a new LDAP Authentication Header (.aut) file.

  4. Specify the new location of the "db" files in the new .aut file.

  5. Point the new .aut file to the location of the DB files.

Recommendations:

1. Put all of these files in separate directories, as shown in the example below.

  • For Steel Belted Radius Enterprise 5.4:

    • Linux/Solaris platforms: app/funk/radius/certs/s1

    • MS Windows platforms: <drive>\Radius\Service\certs\s1

  • For Steel-Belted Radius Enterprise 6.0 and higher:

    • Linux/Solaris: opt/JNPRsbr/radius/certs

    • MS Windows platforms: <drive>\Program Files\Juniper Networks\Steel-Belted Radius\certs\s1

2. Point the new .aut file to the version of SBR Enterprise version that is running.

[Settings]

SSL=1

Certificates= app/funk/radius/certs/s1

3. Make sure that SBR Enterprise is installed.

Notes:

Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255