<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font size="+1"><tt>I constently get this error:<br>
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user<br>
</tt></font><br>
why?<br>
<br>
<br>
On 07/28/2010 08:07 AM, <a class="moz-txt-link-abbreviated" href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a>
wrote:
<blockquote
cite="mid:mailman.116972.1280275662.33630.freeradius-users@lists.freeradius.org"
type="cite">
<pre wrap="">Send Freeradius-Users mailing list submissions to
<a class="moz-txt-link-abbreviated" href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>
To subscribe or unsubscribe via the World Wide Web, visit
<a class="moz-txt-link-freetext" href="http://lists.freeradius.org/mailman/listinfo/freeradius-users">http://lists.freeradius.org/mailman/listinfo/freeradius-users</a>
or, via email, send a message with subject or body 'help' to
<a class="moz-txt-link-abbreviated" href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a>
You can reach the person managing the list at
<a class="moz-txt-link-abbreviated" href="mailto:freeradius-users-owner@lists.freeradius.org">freeradius-users-owner@lists.freeradius.org</a>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: SV: FR proxy to ACS and NPS with MS CHAP v2 (SagiBarOr)
2. RHDS (Natr Brazell)
3. RE: Bug #17 (MS-CHAP user names) (Garber, Neal)
4. incorrect auth-type (Sallee, Stephen (Jake))
5. Re: RHDS (John Dennis)
6. coa proxy'ing with a NAC device (Kevin Ehlers)
7. Passing variables from inner tunnel (newtownz)
----------------------------------------------------------------------
Message: 1
Date: Tue, 27 Jul 2010 04:12:16 -0700 (PDT)
From: SagiBarOr <a class="moz-txt-link-rfc2396E" href="mailto:sagi.bar-or@intel.com"><sagi.bar-or@intel.com></a>
Subject: Re: SV: FR proxy to ACS and NPS with MS CHAP v2
To: <a class="moz-txt-link-abbreviated" href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:29275298.post@talk.nabble.com"><29275298.post@talk.nabble.com></a>
Content-Type: text/plain; charset=UTF-8
Thank you for the info Jan. The radiusd-x files were included in the zip
files. Though I guess the other logs were overwhelming.
I now posted the two log files here.
The file cn-check_splitauth.log is from the first free radius.
The file ldap_mschapv2.log is from the second FR server which does the MS
CHAP v2 portion.
Note that everything works in this confioguration. No issues. What I like
the forum to advise, is what might be non std or missing in the MC CHAP v2
session, which FR overcomes it.
When I replace the 2nd FR with MS NPS or Cisco NPS the authentication fails,
looks like because the pwd (hash) does not match.
Thnks
Sagi
Madsen.Jan JMD wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
I think you need to stop the radius process and then start i with radiusd
-X
This will run freeradius in the window you are starting it in, in debug
mode.
On a Linux it will look something like this
/usr/sbin/freeradius -X (Default Debian install directory)
Or in a manually compiled
/opt/freeradius-1.1.8/sbin/radiusd -X (My install location)
And that output it comes from that is what Phil wants :)
Best regards
Jan Madsen
-----Oprindelig meddelelse-----
Fra: <a class="moz-txt-link-abbreviated" href="mailto:freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org">freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org</a>
[<a class="moz-txt-link-freetext" href="mailto:freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org">mailto:freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org</a>] P? vegne
af SagiBarOr
Sendt: 15. juli 2010 09:46
Til: <a class="moz-txt-link-abbreviated" href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>
Emne: Re: FR proxy to ACS and NPS with MS CHAP v2
Thank you for the clarification Phil. I am not sure what "radius -x"
means. I
posted the two output files I have. Are these the ones? If not, pls
elaborate.
Note that these are the output files for the two FR servers, for which
eveything is just fine. What does not work is when the second server is
not
FR but NPS or ACS. I hope this data will suffice to identify the issue or
at least give good leads.
Phil Mayers wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
On 07/14/2010 11:17 PM, SagiBarOr wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
Files posted.
</pre>
</blockquote>
<pre wrap="">
No.
Post the output of "radiusd -X" to the list.
We don't need anything else; just that.
-
List info/subscribe/unsubscribe? See
<a class="moz-txt-link-freetext" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a>
</pre>
</blockquote>
<pre wrap=""><a class="moz-txt-link-freetext" href="http://old.nabble.com/file/p29170161/cn-check_splitauth.log">http://old.nabble.com/file/p29170161/cn-check_splitauth.log</a>
cn-check_splitauth.log
<a class="moz-txt-link-freetext" href="http://old.nabble.com/file/p29170161/ldap_mschapv2.log">http://old.nabble.com/file/p29170161/ldap_mschapv2.log</a> ldap_mschapv2.log
--
View this message in context:
<a class="moz-txt-link-freetext" href="http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29170161.html">http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29170161.html</a>
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See
<a class="moz-txt-link-freetext" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a>
__________________________________________________________________________________________
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745
KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til
Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til
ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden
Microsoft Gold Certified Partner og Certificeret SAP Hosting Center.
<a class="moz-txt-link-abbreviated" href="http://www.kmd.dk">www.kmd.dk</a> <a class="moz-txt-link-abbreviated" href="http://www.kundenet.kmd.dk">www.kundenet.kmd.dk</a> <a class="moz-txt-link-abbreviated" href="http://www.organisator.dk">www.organisator.dk</a>
<a class="moz-txt-link-abbreviated" href="http://www.kmdinternational.com">www.kmdinternational.com</a>
Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig
besked herom og slette den.
If you received this e-mail by mistake, please notify me and delete it.
Thank you.
__________________________________________________________________________________________
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745
KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til
Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til
ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden
Microsoft Gold Certified Partner og Certificeret SAP Hosting Center.
<a class="moz-txt-link-abbreviated" href="http://www.kmd.dk">www.kmd.dk</a> <a class="moz-txt-link-abbreviated" href="http://www.kundenet.kmd.dk">www.kundenet.kmd.dk</a> <a class="moz-txt-link-abbreviated" href="http://www.organisator.dk">www.organisator.dk</a>
<a class="moz-txt-link-abbreviated" href="http://www.kmdinternational.com">www.kmdinternational.com</a>
Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig
besked herom og slette den.
If you received this e-mail by mistake, please notify me and delete it.
Thank you.
-
List info/subscribe/unsubscribe? See
<a class="moz-txt-link-freetext" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a>
</pre>
</blockquote>
<pre wrap=""><a class="moz-txt-link-freetext" href="http://old.nabble.com/file/p29275298/cn-check_splitauth.log">http://old.nabble.com/file/p29275298/cn-check_splitauth.log</a>
cn-check_splitauth.log
<a class="moz-txt-link-freetext" href="http://old.nabble.com/file/p29275298/ldap_mschapv2.log">http://old.nabble.com/file/p29275298/ldap_mschapv2.log</a> ldap_mschapv2.log
--
View this message in context: <a class="moz-txt-link-freetext" href="http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29275298.html">http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29275298.html</a>
Sent from the FreeRadius - User mailing list archive at Nabble.com.
------------------------------
Message: 2
Date: Tue, 27 Jul 2010 12:59:43 -0400
From: Natr Brazell <a class="moz-txt-link-rfc2396E" href="mailto:natrbrazell@gmail.com"><natrbrazell@gmail.com></a>
Subject: RHDS
To: <a class="moz-txt-link-abbreviated" href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>
Message-ID:
<a class="moz-txt-link-rfc2396E" href="mailto:AANLkTimumkhagDih-xi4FhfXQybKgcPsNkxaTeMmHtWp@mail.gmail.com"><AANLkTimumkhagDih-xi4FhfXQybKgcPsNkxaTeMmHtWp@mail.gmail.com></a>
Content-Type: text/plain; charset="iso-8859-1"
Anyone using the Redhat Directory Server (RHDS) or 389-server versions of
LDAP with their freeradius services? Curious really?
Thanks,
Nate Brazell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <a class="moz-txt-link-rfc2396E" href="https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100727/e4c7bba0/attachment.html"><https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100727/e4c7bba0/attachment.html></a>
------------------------------
Message: 3
Date: Tue, 27 Jul 2010 13:37:46 -0400
From: "Garber, Neal" <a class="moz-txt-link-rfc2396E" href="mailto:Neal.Garber@energyeast.com"><Neal.Garber@energyeast.com></a>
Subject: RE: Bug #17 (MS-CHAP user names)
To: "'FreeRadius users mailing list'"
<a class="moz-txt-link-rfc2396E" href="mailto:freeradius-users@lists.freeradius.org"><freeradius-users@lists.freeradius.org></a>
Message-ID:
<a class="moz-txt-link-rfc2396E" href="mailto:3FF48394E621F14F97A9117CF92D138E585EF5FAED@EEROCH1CMS1.Energyeast.net"><3FF48394E621F14F97A9117CF92D138E585EF5FAED@EEROCH1CMS1.Energyeast.net></a>
Content-Type: text/plain; charset="us-ascii"
</pre>
<blockquote type="cite">
<pre wrap="">I've done some minor editing to the patches, and put them into the
code for 2.1.10.
</pre>
</blockquote>
<pre wrap="">
I just downloaded and installed 2.1.10 on my test server. So far, everything looks good. Thank you Alan.
------------------------------
Message: 4
Date: Tue, 27 Jul 2010 13:13:51 -0500
From: "Sallee, Stephen (Jake)" <a class="moz-txt-link-rfc2396E" href="mailto:Jake.Sallee@umhb.edu"><Jake.Sallee@umhb.edu></a>
Subject: incorrect auth-type
To: <a class="moz-txt-link-rfc2396E" href="mailto:freeradius-users@lists.freeradius.org"><freeradius-users@lists.freeradius.org></a>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:4E2E6B81A1D0FE4E8E2B01F5FE9A0126109DC9A6@newman.umhb.edu"><4E2E6B81A1D0FE4E8E2B01F5FE9A0126109DC9A6@newman.umhb.edu></a>
Content-Type: text/plain; charset="us-ascii"
I am new to FreeRADIUS so please be patient with me. I am scouring the
docs as I write this but so far I have been stumped. Below I have
included the debug output of my server when I send it a authentication
request.
You will see that the user is found and authenticated by the
"ntlm_auth_Cru" module, however the user is still rejected bec the
server says no auth-type was configured for the request. Any help is
appreciated.
I have the following lines in my users file:
-----------------
DEFAULT Auth-Type := ntlm_auth
Fall-Through = Yes
-----------------
I also have the following in my radius.conf:
------------------
redundant ntlm_auth {
group {
ntlm_auth_Cru {
reject = 1
ok = return
}
ntlm_auth_UMHB {
reject = 1
ok = return
}
}
}
------------------
Here is the debug output:
------------------
rad_recv: Access-Request packet from host 10.2.1.75 port 46841, id=239,
length=51
User-Name = "image"
User-Password = "image"
NAS-IP-Address = 10.2.1.75
Tue Jul 27 13:01:03 2010 : Info: +- entering group authorize {...}
Tue Jul 27 13:01:03 2010 : Info: ++[preprocess] returns ok
Tue Jul 27 13:01:03 2010 : Info: ++- entering group ntlm_auth {...}
Tue Jul 27 13:01:03 2010 : Info: +++- entering group {...}
Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru] expand:
--username=%{mschap:User-Name} -> --username=image
Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru] expand:
--password=%{User-Password} -> --password=image
Tue Jul 27 13:01:03 2010 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Tue Jul 27 13:01:03 2010 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Tue Jul 27 13:01:03 2010 : Debug: Exec-Program: returned: 0
Tue Jul 27 13:01:03 2010 : Info: ++++[ntlm_auth_Cru] returns ok
Tue Jul 27 13:01:03 2010 : Info: +++- group returns ok
Tue Jul 27 13:01:03 2010 : Info: ++- group ntlm_auth returns ok
Tue Jul 27 13:01:03 2010 : Info: ++[expiration] returns noop
Tue Jul 27 13:01:03 2010 : Info: ++[logintime] returns noop
GOT CLONE -1208792368 0x9f8ff70
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence SWITCH:
10.2.1.75
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence MAC:
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence USER: image
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair User-Name = image
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair User-Password =
image
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair NAS-IP-Address =
10.2.1.75
Tue Jul 27 13:01:03 2010 : Info: ++[perl] returns ok
Tue Jul 27 13:01:03 2010 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue Jul 27 13:01:03 2010 : Info: Failed to authenticate the user.
Tue Jul 27 13:01:03 2010 : Info: Using Post-Auth-Type Reject
Tue Jul 27 13:01:03 2010 : Info: +- entering group REJECT {...}
Tue Jul 27 13:01:03 2010 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> image
Tue Jul 27 13:01:03 2010 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Tue Jul 27 13:01:03 2010 : Info: ++[attr_filter.access_reject] returns
updated
Tue Jul 27 13:01:03 2010 : Info: Delaying reject of request 0 for 1
seconds
Tue Jul 27 13:01:03 2010 : Debug: Going to the next request
Tue Jul 27 13:01:03 2010 : Debug: Waking up in 0.8 seconds.
Tue Jul 27 13:01:04 2010 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 239 to 10.2.1.75 port 46841
Tue Jul 27 13:01:04 2010 : Debug: Waking up in 4.9 seconds.
Tue Jul 27 13:01:09 2010 : Info: Cleaning up request 0 ID 239 with
timestamp +26
Tue Jul 27 13:01:09 2010 : Debug: Ready to process requests.
------------------
PS: I know it is not best practice to specify the default auth-type but
this is a single purpose server and I know what types of requests are
going to come to it, anything other than what I want should be
discarded.
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
------------------------------
Message: 5
Date: Tue, 27 Jul 2010 14:19:48 -0400
From: John Dennis <a class="moz-txt-link-rfc2396E" href="mailto:jdennis@redhat.com"><jdennis@redhat.com></a>
Subject: Re: RHDS
To: FreeRadius users mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:freeradius-users@lists.freeradius.org"><freeradius-users@lists.freeradius.org></a>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:4C4F2344.70907@redhat.com"><4C4F2344.70907@redhat.com></a>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 07/27/2010 12:59 PM, Natr Brazell wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Anyone using the Redhat Directory Server (RHDS) or 389-server versions
of LDAP with their freeradius services? Curious really?
</pre>
</blockquote>
<pre wrap="">
Yes (but I guess that's obvious given my .sig)
--
John Dennis <a class="moz-txt-link-rfc2396E" href="mailto:jdennis@redhat.com"><jdennis@redhat.com></a>
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
------------------------------
Message: 6
Date: Tue, 27 Jul 2010 13:34:11 -0700
From: Kevin Ehlers <a class="moz-txt-link-rfc2396E" href="mailto:kevin@uoregon.edu"><kevin@uoregon.edu></a>
Subject: coa proxy'ing with a NAC device
To: <a class="moz-txt-link-abbreviated" href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:4C4F42C3.4080906@uoregon.edu"><4C4F42C3.4080906@uoregon.edu></a>
Content-Type: text/plain; charset=ISO-8859-1
I'm having a really hard time with proxying or just dealing with
CoA's. The documentation just isn't working for me.
I can configure the coa server. I can get the originate-coa server up
too. I can send CoA's to the server, but I can't get it to proxy them
or re-send them as if it was originating the CoA. I see that they're
being processed when looking at debug mode. But I just don't know how
to do anything with them.
This is what I want to do:
[lots of switches doing dot1x]<->[freeradius]<->[NAC device,
PacketFence in this case]
I want to be able to send a CoA request from PacketFence (or another
management server) to freeradius, and have it relay that CoA to a
specific switch. E.g. I have determined that a user needs to be
quarantined, so I run a script on the backend, and part of that
requires having that user re-authenticate and get assigned a
quarantine vlan. PF determines which switch they're on, sends a CoA
to FreeRadius, FreeRadius then sends the CoA to the correct switch.
Is there a way to do this without configuring a client entry for every
edge device? Should I be using the proxy.conf in some way? I'm not
really clear about how to use the virtual servers in regard to proxying.
Thanks,
--
Kevin Ehlers
Network Engineer
University of Oregon
------------------------------
Message: 7
Date: Tue, 27 Jul 2010 17:07:37 -0700 (PDT)
From: newtownz <a class="moz-txt-link-rfc2396E" href="mailto:jean466@sympatico.ca"><jean466@sympatico.ca></a>
Subject: Passing variables from inner tunnel
To: <a class="moz-txt-link-abbreviated" href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:29279811.post@talk.nabble.com"><29279811.post@talk.nabble.com></a>
Content-Type: text/plain; charset=us-ascii
Hi,
I'm trying to pass the value of LDAP-UserDn from the inner-tunnel
to the default server. I have read unlang and also tried many combinations
including update outer.control from the inner tunnel and nothing worked...
Here is a debug output where we can see that the User-Dn get expanded
correctly in the tunnel but is empty in the default server.
++[eap] returns ok
+- entering group post-auth {...}
expand: %{control:LDAP-UserDn} -> cn=aruba,ou=etudiant,o=org
Exec-Program output: etudiant
Exec-Program-Wait: plaintext: etudiant
Exec-Program: returned: 0
++[reply] returns noop
++[outer.control] returns noop
} # server inner-tunnel
....
....
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
expand: %{control:LDAP-UserDn} ->
PHP Notice: Undefined offset: 0 in /etc/freeradius/scripts/php3 on line 4
Exec-Program output: dewor
Exec-Program-Wait: plaintext: dewor
Exec-Program: returned: 0
Thanks
Jean
--
View this message in context: <a class="moz-txt-link-freetext" href="http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29279811.html">http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29279811.html</a>
Sent from the FreeRadius - User mailing list archive at Nabble.com.
------------------------------
-
List info/subscribe/unsubscribe? See <a class="moz-txt-link-freetext" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a>
End of Freeradius-Users Digest, Vol 63, Issue 97
************************************************
</pre>
</blockquote>
</body>
</html>