ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user

Alan DeKok aland at deployingradius.com
Mon Sep 25 16:23:33 CEST 2017


On Sep 25, 2017, at 10:13 AM, Adam Cage <adamcage27 at gmail.com> wrote:
> 
> People, I have working OK a Freeradius with AD Authentication and LDAP
> Authorization. Everything is OK when I use my service to authenticate users
> for the WiFi service.

  That's good.

> But now I want to add a Cisco Firepower IPS authentication, and I fail. The
> Cisco Firepower IPS has a Radius configuration interface where I fill out
> all the basic necessary data: Radius IP and port, Secret and Default User
> Role.

  If the policies are very different from WiFi, you might want to user a different virtual server.  See raddb/sites-available/README

> In the Freeradius server, I have edited
> /etc/freeradius/sites-available/defaullt and inner-tunnel files, adding a
> clause similar to the current ones, as follow (the unique condition is the
> user belongs to IPS LDAP group):
> 
> if .....
> .......
> elsif (LDAP-Group == "IPS") {
>                        update reply {
>                        Reply-Message = "Hello %{User-Name}: Access enabled
> to Firepower"
>                        }
>                        ok
>                }
> else {
>                reject
>        }
> 
> and the Freeradius debug output is this:

   OK...

> rlm_ldap::ldap_groupcmp: User found in group WiFi-Corp
>  [ldap] ldap_release_conn: Release Id: 0
> ? Evaluating (LDAP-Group == "IPS") -> TRUE
> ++? elsif (LDAP-Group == "IPS") -> TRUE
> ++elsif (LDAP-Group == "IPS") {
> +++update reply {
>        expand: Hello %{User-Name}: Access enabled to Firepower -> Hello
> adam: Access enabled to Firepower
> +++} # update reply = noop
> +++[ok] = ok
> ++} # elsif (LDAP-Group == "IPS") = ok
> ++ ... skipping else for request 203: Preceding "if" was taken
> +} # group authorize = ok
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
> the user
> Failed to authenticate the user.

  Well that's clear.

> Please can you help me???

  Do you want to authenticate those users?  If so, how? LDAP?  Where are their accounts stored?

  Right now, you're not authenticating them at all.

  Alan DeKok.




More information about the Freeradius-Users mailing list