반품
-
제목
How To: Use the RADIUS Test Tool to troubleshoot Defender authentication -
설명
The Radius Test Tool is a simple method to test Defender token authentication to confirm that the DSS is accepting and processing requests successfully. All authentication attempts using the tool are recorded in the DSS audit log. -
해결 방안
1. Login to Active Directory Users & Computers and navigate to the Defender | Access Nodes OU.
2. Create a new Access Node and select the default values in the wizard.
3. For this test, specify the address of your DSS as the IP of the Access Node.
4. Open the properties of the test Access Node.
5. Assign your DSS on the Servers tab, add your test user on the Members tab and set a Token Only policy on the Policy tab.
6. Restart the Defender Security Server Service on your DSS.
7. Download the attached RADIUS-Test-Utils.zip, copy it to your DSS and extract the ZIP.
8. Open Radius Test Client.exe.
9. The "IP" is that of the DSS. The Secret and Port are the same as specified in your Access Node.
10. Ignore the Challenge section and click OK.
11. In the window that appears, go to File and select Send Interactive...
12. Enter your username and a token reponse from the user's token in the Password field.
13. If the Defender authentication is successful, you will see "Access Approved".
14. You may also wish to test from a client workstation. Change the IP of the Access Node to the client address and test again.
NOTE: Some fields in the test tool, such as secrets and passwords will be displayed in plain text. -
첨부 파일
-
추가 정보
Other options for troubleshooting the UDP connection: 1. Some *nix operating systems will come with a RADIUS test utility installed - such as radtest or radclient. 2. Run a packet capture on the Defender Server, send some traffic from the client machines; confirm traffic received. 3. From the client machine, if netcat is installed it may be used to test a connection to the Defender port: Command: nc -vu1812 (output: Connection to 1812 port [udp/radius] succeeded!) [*** Note that due to the connectionless nature of UDP, this success message does not necessarily indicate a successful connection; the remaining steps must be reviewed] (then type text to send to the target IP:) Test from 192.168.1.1 (then type ctrl-c to exit netcat) The Defender DSS log may then be reviewed; an example output: Thu 30 Jul 2015 15:26:30 Unable to process request - Unknown packet type Thu 30 Jul 2015 15:26:30 Test from 192.168.1.1 (+0000) 54657374 2066726F 6D204142 432E0A While the connection is not a true RADIUS connection, this may assist in validating UDP traffic is reaching Defender on the correct UDP port.