Jump to content
Welcome to our new Citrix community!

Netscaler 12 Radius Error


JBO

Recommended Posts

Hello,
i need some help figuring out the cause of a login problem.


We got the following enviroment:
2x delivery Controllers
2x Storefront Servers
1x License and Director Server
All installated in version 7.15 LTSR and everything is working fine.
1 x Netscaler in Release 12.0.58.15
1 x Radius Server

 

I’ve installed and configured the Netscaler Gateway serveral times without having mayor problems, but this time i keep getting login errors as soon as i activate the radius policy.
When trying to log on to the Loginpage it responds with „Invalid credentials”


Without radius authentication Policy everything works fine, so I tried several things:
-Login to the Radius Server using the same credentials -> no Problem
-Tested the Token -> No Problem
-Resyncing the Software
-Trying different kind of token (Token-List/ Handy App)
-Deleting the RADIUS Policy + Server and creating it new


Nothing changed the Error.
At this moment there is no firewall between the servers, so nothing is blocked.
I’ve put the LDAP as primary and the RADIUS as secondary Policy.
Aaad.debug show that the LDAP works fine, only the RADIUS Part shows following errors:

 

Quote

/home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/naaad.c[3956]: start_cascade_auth 0-58: starting cascade authentication
Fri Jul 20 13:24:11 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/radius_drv.c[772]: continue_radius_auth 0-58: RADIUS auth: Starting RADIUS authentication for user administrator @ 192.168.55.237
Fri Jul 20 13:24:11 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/radius_drv.c[671]: make_radius_request 0-58: RADIUS auth: Making radius request for user administrator
Fri Jul 20 13:24:11 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/naaad.c[4277]: register_timer 0-58: setting timer 73
Fri Jul 20 13:24:12 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/naaad.c[635]: main 0-0: timer 1 firing...
Fri Jul 20 13:24:12 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/naaad.c[635]: main 0-0: timer 2 firing...
Fri Jul 20 13:24:13 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/radius_drv.c[2051]: process_radius 0-58: Got RADIUS event
Fri Jul 20 13:24:13 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/naaad.c[4354]: unregister_timer 0-58: releasing timer 73
Fri Jul 20 13:24:13 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/radius_drv.c[2167]: process_radius 0-58: Received RAD_ACCESS_REJECT for: administrator
Fri Jul 20 13:24:13 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/radius_drv.c[2022]: process_rad_reject 0-58: RADIUS auth: Processing RADIUS reject for user administrator, Radius Attr: 18
Fri Jul 20 13:24:13 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/radius_drv.c[2174]: process_radius 0-58: RADIUS auth: Authentication failed for user administrator from server 192.168.55.237 - Invalid Credentials
Fri Jul 20 13:24:13 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/naaad.c[3494]: send_reject_with_code 0-58: Not trying cascade again
Fri Jul 20 13:24:13 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/naaad.c[3496]: send_reject_with_code 0-58: sending reject to kernel for : administrator
Fri Jul 20 13:24:13 2018
 /home/build/rs_120_58_8_RTM/usr.src/netscaler/aaad/naaad.c[3499]: send_reject_with_code 0-58: Rejecting with error code 4001

 

Link to comment
Share on other sites

for some reason it never occured to me to check these logs till you asked. the Radius server Logs show this:

 

Quote

[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] New openotpSimpleLogin SOAP request
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] > Username: administrator
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] > Password: xxxxxx
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] > Options: RADIUS,-U2F
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] Registered openotpSimpleLogin request
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] Resolved LDAP user: CN=Administrator,CN=Users,DC=xx,DC=xx
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] Resolved LDAP groups:
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] Started transaction lock for user
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] Found 1 user emails: Administrator@xx.xx
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] Found 37 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPFallback=LIST,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] Found 5 user data: LoginCount,RejectCount,TokenType,TokenKey,TokenState
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] Found 1 registered OTP token (TOTP)
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] User has no OTP List registered - OTPFallback disabled
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] Requested login factors: LDAP & OTP
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] Wrong LDAP password
[2018-07-20 13:24:14] [127.0.0.1] [OpenOTP:NS80PA7Y] Updated user data
[2018-07-20 13:24:15] [127.0.0.1] [OpenOTP:NS80PA7Y] Sent failure response

 

But i am 100% sure that the LDAP Password ist correct, i just tested it by using copy and paste. the direct login on the Radius Server Website works.

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...