我在测试时是蛮正常的,完全按照文档:
1 创建一个新的ad域,安装证书服务和radius客户端,然后设置域密码策略,启用那个可还原的加密....
2 创建域账号
3 在AC上test-aaa,一切正常
但在正式环境里是这样的:
1 已经有了个AD域
2 已经有了很多域账号
3 修改域密码策略,启用那个可还原的加密....
4 test-aaa时报密码错误
查了下域控(也是radius服务器),报错如下:
用户 linshi10 被拒绝访问。
Fully-Qualified-User-Name = ******.COM.CN\linshi10
NAS-IP-Address = 192.168.49.10
NAS-Identifier = AC_HUAWEI_AC6005
Called-Station-Identifier =
Calling-Station-Identifier =
Client-Friendly-Name = ac6005
Client-IP-Address = 192.168.49.10
NAS-Port-Type = Ethernet
NAS-Port =
Proxy-Policy-Name = 对所有用户使用
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = MD5-CHAP
EAP-Type =
Reason-Code = 19
Reason = 用户不能用质询握手身份验证协议(CHAP)作身份验证。没有此用户的可逆加密的密码。为了确保启用了可逆加密的密码,可以检查网域密码策略或用户帐户上的密码设置。
我上网查了下,找到个方法:
Please try to enable the following policy in the Default Domain Policy GPO and test.
Windows Settings\Security Settings\Account Policies\Password Policy\Store password using reversible encryption for all users in the domain
I had that policy set and it was not fixing my issue. The reason why it wasn't fixing my issue, once you have this policy set you have to reset the password. If anyone has this issue, don't forget there are two steps to this process, 1) setup the account for reversible encryption 2) reset the password.
试了下,只要修改了linshi10的密码,test-aaa就通过了...试多几个其他的域账号也是如此。
觉得很麻烦,但是配置文档又要求要启用可还原的加密....才能调通ac-radius-ad。
扫一扫
2392
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
