Problems with LDAP authentication

  • 2
  • Question
  • Updated 6 months ago
Hi everyone, we have a problem with the authentication using LDAP. The RADIUS server is an access point AP230. It's configured and if we run LDAP test we have no problem it is successful, but if we run RADIUS server test we can ́t get access, we receive always the answer "The RADIUS server rejected the Access Request message. Check the submitted user name and password." I adjunct some images with the results of the tests. Our HiveManager is On Premise. Thanks a lot for all your help.


Photo of Hector Rios

Hector Rios

  • 14 Posts
  • 1 Reply Like

Posted 2 years ago

  • 2
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Are real stations/clients able to authenticate?
Photo of Hector Rios

Hector Rios

  • 14 Posts
  • 1 Reply Like
Please check this configuration, that ́s what I have configured for RADIUS settings in the access point AP230.

Thanks.

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The authentication selection is wrong as you are allowing LEAP and MD5, both of these are security vulnerable EAP methods that should not be allowed.

The point that I ought to make is that you do not need to use the RADIUS test tool, your clients are working.

The RADIUS test tool only really checks for the reachability of a RADIUS server, it does not act as a supplicant would. It is largely a meaningless test therefore and you should not be concerned with it.

The tool primarily exists for when external, third party RADIUS servers are being used and you wish to probe them.

Nick
(Edited)
Photo of Hector Rios

Hector Rios

  • 14 Posts
  • 1 Reply Like
Hi Nick,

I tried to authenticate from a client and this is what I see in client monitor.



Any idea?

Thanks.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
So now you're saying that clients cannot authenticate? I previously asked if they could and you said yes! :P
Photo of Hector Rios

Hector Rios

  • 14 Posts
  • 1 Reply Like
What I was trying to say is that other infrastructure that use this LDAP can authenticate via 802.1X, but if I try with this configuration in Aerohive they can't.


Sorry about the confusion.
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
Do you have strange characters in the password? We had some problems in the past with a password that used a questionmark (?). I know very strange behavior :-D.

Also check the username under AAA User Directory Settings that do the user lookup. Verify that the radius ap is added to the domain correctly and that the name isn't changed. You also added all the access points to the Radius/client settings under Aerohive AAA Server settings?
(Edited)
Photo of Hector Rios

Hector Rios

  • 14 Posts
  • 1 Reply Like
Hi Jonas, 

Thanks for your comment. I have checked all this parameters and everything is fine. 

We don ́t have AD, we just need that the clients authenticate with the LDAP server. 

Thanks.
Photo of Rodrigo

Rodrigo

  • 19 Posts
  • 4 Reply Likes
Hello, could place settings LDAP integration ?
Photo of Hector Rios

Hector Rios

  • 14 Posts
  • 1 Reply Like
Hi Rodrigo,



Thanks.
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
Hector,

Please confirm if you use an LDAP server not a Microsoft AD. When you use an LDAP the password stored in the LDAP server should be stored as clear text. PEAP-MSCHAP requires a clear text in order to hash the password. If the stored password is encrypted PEAP-MSCHAP will fail.
Please check how the password is stored in the AD.

If the server you are using is an AD you should use AD method rather than LDAP method.

_debug radiusd verbose on the AP running the radius server should give you information why the authentication fails.

Eastman
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The hash that Eastman refers to is the NT hash. This is intrinsically available in a Windows Active Directory Domain but is not usually in other directories, hence the need for a plaintext/cleartext password to be able to create this hash on the fly.
(Edited)
Photo of Rodrigo

Rodrigo

  • 19 Posts
  • 4 Reply Likes
Hello, could place settings LDAP integration ?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I do not think that anybody here understands your question, sorry.
Can you rephrase it so that we can understand what it is that you want to know?
Photo of Hector Rios

Hector Rios

  • 14 Posts
  • 1 Reply Like
Hi, 

I'm going to try explain again my problem...

I have an access point that is working as a RADIUS server. To authenticate, it use a LDAP server (Sun Directory Server).

If I use the AD and LDAP Test tool from HM, I can get all information about the user that I want. But, if I use the RADIUS Test tool, the authentication fails. 

I tried to authenticate a computer in this SSID and the authentication fails. In that moment, I had the command "debug console all" in the access point and this what I see:



I tried changing the LDAP filter but the answer is always the same. 

We are using this LDAP for other services and it works, but with this integration with Aerohive not.

I hope this time you understand what I'm trying to explain.

Thanks.

Hector
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hector, my comment was intended for Rodrigo.
Photo of Hector Rios

Hector Rios

  • 14 Posts
  • 1 Reply Like
Hi everyone,

Question, it is possible in someway with Aerohive to authenticate directly to LDAP without using a RADIUS server?, for example with a Captive Web Portal?

Thanks.
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
LDAP is strictly the database, RADIUS is the authentication method to authenticate to that database.

Best,
BJ 
Photo of geniusofwind

geniusofwind

  • 2 Posts
  • 0 Reply Likes
Hi,Hector Rios
Have you solved this problem?I have the same question with you.

Thanks.
Photo of Remko

Remko

  • 1 Post
  • 0 Reply Likes
Hi,

Did anyone solve this problem? I'm stuck in the same situation.

I also followed the steps on https://community.aerohive.com/aerohive/topics/can_someone_provide_me_with_a_step_by_step_guide_for_...
But that didn't help me out.

Your support is appreciated!