ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

Alan Buxey alan.buxey at gmail.com
Fri Sep 1 18:12:19 CEST 2017


"My config files seem to be the same among the different FR versions"

... They shouldn't be. The FR 3.0.x configs can vary quite a bit. You can't
just drop a 2.x config into a 3.x server.... You need to migrate your
config (read the 2.x config then apply relevant changes to the default 3.x
config)

alan

On 1 Sep 2017 2:23 pm, "Andrea Passuello" <andrea.passuello at widegroup.eu>
wrote:

Hi everyone,
I need a little help because I am trying to configure a FreeRadius 3.0.12 +
LDAP.

With the previous FR version (2.2.5) everything work fine and I was able to
authenticate my LDAP'users.

Now I am trying to replicate my configuration but I receive this error:

ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

My config files seem to be the same among the different FR versions.

This is my debug output:

(0) Received Access-Request Id 85 from MYCLIENT:47127 to MYSERVER:1812
length 86
(0)   User-Name = "MYUSER"
(0)   User-Password = "MYPASSWORD"
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0xa7d43fb7b44c2c15e704324f69e3e0d9
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-
enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "MYUSER", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=MYUSER)
(0) ldap: Performing search in "dc=MYCOMPANY,dc=MYDOMAIN" with filter
"(uid=MYUSER)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=MYUSER,ou=people,dc=
MYCOMPANY,dc=MYDOMAIN"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> MYUSER
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 85 from MYSERVER:1812 to MYCLIENT:47127 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 85 with timestamp +2
Ready to process requests


What do I wrong or miss?

Many thanks in advance for your help.

Andrea

--

Avvertenze ai sensi del D.Lgs.196 del 30/06/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
files allegati, sono da considerarsi strettamente riservati. Il loro
utilizzo è consentito esclusivamente al destinatario del messaggio, per le
finalità indicate nello stesso. Costituisce violazione ai principi dettati
dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo
necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti,
copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà
richiederci la sospensione dell'impiego dei suoi dati, ad esclusione delle
comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse
ricevuto questo messaggio senza esserne il destinatario La preghiamo
cortesemente di darcene notizia via e-mail e di procedere alla distruzione
del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo,
può trovare informazioni e supporto sul nostro sito www.widegroup.eu/reclami
​
o può scrivere a reclami at widegroup.eu. Grazie.

--

This message is confidential. It may also be privileged or otherwise
protected by work, product, immunity or other legal rules. If you have
received it by mistake, please let us know by e-mail reply and delete it
from your system; you may not copy this message or disclose its contents to
anyone. The integrity and security of this message cannot be guaranteed on
the Internet. If you want to submit a formal complaint, you can find
information and support on our website www.widegroup.eu/reclami​ or writing
to reclami at widegroup.eu. Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html


More information about the Freeradius-Users mailing list