Error with AD/freeradius config

Edge edgedemon at hotmail.com
Thu Jul 14 17:04:47 CEST 2011


Im following the AD config guide over at deployingradius.com and think I
have an error in one of the config files, I suspect Im not using the right
syntax, or another really simple error .

 

Fresh install of the latest freeradius version on ubuntu - not the packaged
version, built from source

PAP is working

I have configured and tested samba and ntlm_auth - both working fine

 

The deployingradius guide then states

 

<You will also have to list ntlm_auth in the authenticate sections of each
the raddb/sites-enabled/default file, and of the
raddb/sites-enabled/inner-tunnel file:>

 

This is where I have hit problems.....

 

ERROR: No authenticate method (Auth-Type) found for the request:

 

The above error makes me think I have amended the config files incorrectly.
I have copied the /usr/local/etc/raddb/sites-enabled/default and
/usr/local/etc/raddb/sites-enabled/inner-tunnel files below and at the end
the radius debug information Can someone have a look at them and tell me
where I have gone wrong? I just didn't understand what format the entry had
to take, so copied the existing entries in both files. If you search for
ntlm_auth it will take you straight to the areas I have changed..

Many thanks

 

My /sites-enabled/default file - I have just copied the authentication
section as everything else in the file is at default settings

 

#  Authentication.

#

#

#  This section lists which modules are available for authentication.

#  Note that it does NOT mean 'try each module in order'.  It means

#  that a module from the 'authorize' section adds a configuration

#  attribute 'Auth-Type := FOO'.  That authentication type is then

#  used to pick the apropriate module from the list below.

#

 

#  In general, you SHOULD NOT set the Auth-Type attribute.  The server

#  will figure it out on its own, and will do the right thing.  The

#  most common side effect of erroneously setting the Auth-Type

#  attribute is that one authentication method will work, but the

#  others will not.

#

#  The common reasons to set the Auth-Type attribute by hand

#  is to either forcibly reject the user (Auth-Type := Reject),

#  or to or forcibly accept the user (Auth-Type := Accept).

#

#  Note that Auth-Type := Accept will NOT work with EAP.

#

#  Please do not put "unlang" configurations into the "authenticate"

#  section.  Put them in the "post-auth" section instead.  That's what

#  the post-auth section is for.

#

authenticate {

        #

        #  PAP authentication, when a back-end database listed

        #  in the 'authorize' section supplies a password.  The

        #  password can be clear-text, or encrypted.

        Auth-Type PAP {

                pap

        }

 

        #

        #  Most people want CHAP authentication

        #  A back-end database listed in the 'authorize' section

        #  MUST supply a CLEAR TEXT password.  Encrypted passwords

        #  won't work.

        Auth-Type CHAP {

                chap

        }

 

        #

        #  MSCHAP authentication.

        Auth-Type MS-CHAP {

                mschap

        }

 

        #  ntlm authentication.

 

        Auth-Type ntlm_auth {

                ntlm_auth

        }

 

        #  If you have a Cisco SIP server authenticating against

        #  FreeRADIUS, uncomment the following line, and the 'digest'

        #  line in the 'authorize' section.

        digest

 

        #

        #  Pluggable Authentication Modules.

#       pam

 

        #

        #  See 'man getpwent' for information on how the 'unix'

        #  module checks the users password.  Note that packets

        #  containing CHAP-Password attributes CANNOT be authenticated

        #  against /etc/passwd!  See the FAQ for details.

        #

        #  For normal "crypt" authentication, the "pap" module should

        #  be used instead of the "unix" module.  The "unix" module should

        #  be used for authentication ONLY for compatibility with legacy

        #  FreeRADIUS configurations.

        #

        unix

 

        # Uncomment it if you want to use ldap for authentication

        #

        # Note that this means "check plain-text password against

        # the ldap database", which means that EAP won't work,

        # as it does not supply a plain-text password.

#       Auth-Type LDAP {

#               ldap

#       }

 

        #

        #  Allow EAP authentication.

        eap

 

        #

        #  The older configurations sent a number of attributes in

        #  Access-Challenge packets, which wasn't strictly correct.

        #  If you want to filter out these attributes, uncomment

       #  the following lines.

        #

#       Auth-Type eap {

#               eap {

#                       handled = 1  

#               }

#               if (handled && (Response-Packet-Type == Access-Challenge)) {

#                       attr_filter.access_challenge.post-auth

#                       handled  # override the "updated" code from
attr_filter

#               }

#       }

}

 

 

My / sites-enabled/inner-tunnel file - again, I have just copied the section
I have added to...

 

 

#  Authentication.

#

#

#  This section lists which modules are available for authentication.

#  Note that it does NOT mean 'try each module in order'.  It means

#  that a module from the 'authorize' section adds a configuration

#  attribute 'Auth-Type := FOO'.  That authentication type is then

#  used to pick the apropriate module from the list below.

#

 

#  In general, you SHOULD NOT set the Auth-Type attribute.  The server

#  will figure it out on its own, and will do the right thing.  The

#  most common side effect of erroneously setting the Auth-Type

#  attribute is that one authentication method will work, but the

#  others will not.

#

#  The common reasons to set the Auth-Type attribute by hand

#  is to either forcibly reject the user, or forcibly accept him.

#

authenticate {

        #

        #  PAP authentication, when a back-end database listed

        #  in the 'authorize' section supplies a password.  The

        #  password can be clear-text, or encrypted.

        Auth-Type PAP {

                pap

        }

 

 

        #

        #  Most people want CHAP authentication

        #  A back-end database listed in the 'authorize' section

        #  MUST supply a CLEAR TEXT password.  Encrypted passwords

        #  won't work.

        Auth-Type CHAP {

                chap

        }

 

 

        #  MSCHAP authentication.

        Auth-Type MS-CHAP {

                mschap

        }

 

        #

        #  NTLM authentication.

        Auth-Type ntlm_auth {

                ntlm_auth

        }

        #  Pluggable Authentication Modules.

#       pam

 

        #

        #  See 'man getpwent' for information on how the 'unix'

        #  module checks the users password.  Note that packets

        #  containing CHAP-Password attributes CANNOT be authenticated

        #  against /etc/passwd!  See the FAQ for details.

        #  

        unix

 

        # Uncomment it if you want to use ldap for authentication

        #

        # Note that this means "check plain-text password against

        # the ldap database", which means that EAP won't work,

        # as it does not supply a plain-text password.

#       Auth-Type LDAP {

#               ldap

#       }

 

        #

        #  Allow EAP authentication.

        eap

}

 

 

 

 

 

My debug output is as follows

 

rad_recv: Access-Request packet from host 127.0.0.1 port 44992, id=218,
length=60

        User-Name = "xxxxxxxx"

        User-Password = "xxxxxxxxx"

        NAS-IP-Address = xxx.xxx.xxx.xxx

        NAS-Port = 0

# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "xxxxxxxx", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user

Failed to authenticate the user.

Using Post-Auth-Type Reject

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> xxxxxxxxxx

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 16 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 16

Sending Access-Reject of id 218 to 127.0.0.1 port 44992

Waking up in 4.9 seconds.

Cleaning up request 16 ID 218 with timestamp +84526

Ready to process requests.

 

 

Many thanks

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110714/04d82f9c/attachment.html>


More information about the Freeradius-Users mailing list