<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoPlainText>Im following the AD config guide over at deployingradius.com and think I have an error in one of the config files, I suspect Im not using the right syntax, or another really simple error .<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Fresh install of the latest freeradius version on ubuntu – not the packaged version, built from source<o:p></o:p></p><p class=MsoPlainText>PAP is working<o:p></o:p></p><p class=MsoPlainText>I have configured and tested samba and ntlm_auth - both working fine<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>The deployingradius guide then states<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><You will also have to list ntlm_auth in the authenticate sections of each the raddb/sites-enabled/default file, and of the raddb/sites-enabled/inner-tunnel file:><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>This is where I have hit problems.....<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>ERROR: No authenticate method (Auth-Type) found for the request:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>The above error makes me think I have amended the config files incorrectly. I have copied the /usr/local/etc/raddb/sites-enabled/default and /usr/local/etc/raddb/sites-enabled/inner-tunnel files below and at the end the radius debug information Can someone have a look at them and tell me where I have gone wrong? I just didn’t understand what format the entry had to take, so copied the existing entries in both files. If you search for ntlm_auth it will take you straight to the areas I have changed..<o:p></o:p></p><p class=MsoPlainText>Many thanks<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>My /sites-enabled/default file - I have just copied the authentication section as everything else in the file is at default settings<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText># Authentication.<o:p></o:p></p><p class=MsoPlainText>#<o:p></o:p></p><p class=MsoPlainText>#<o:p></o:p></p><p class=MsoPlainText># This section lists which modules are available for authentication.<o:p></o:p></p><p class=MsoPlainText># Note that it does NOT mean 'try each module in order'. It means<o:p></o:p></p><p class=MsoPlainText># that a module from the 'authorize' section adds a configuration<o:p></o:p></p><p class=MsoPlainText># attribute 'Auth-Type := FOO'. That authentication type is then<o:p></o:p></p><p class=MsoPlainText># used to pick the apropriate module from the list below.<o:p></o:p></p><p class=MsoPlainText>#<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText># In general, you SHOULD NOT set the Auth-Type attribute. The server<o:p></o:p></p><p class=MsoPlainText># will figure it out on its own, and will do the right thing. The<o:p></o:p></p><p class=MsoPlainText># most common side effect of erroneously setting the Auth-Type<o:p></o:p></p><p class=MsoPlainText># attribute is that one authentication method will work, but the<o:p></o:p></p><p class=MsoPlainText># others will not.<o:p></o:p></p><p class=MsoPlainText>#<o:p></o:p></p><p class=MsoPlainText># The common reasons to set the Auth-Type attribute by hand<o:p></o:p></p><p class=MsoPlainText># is to either forcibly reject the user (Auth-Type := Reject),<o:p></o:p></p><p class=MsoPlainText># or to or forcibly accept the user (Auth-Type := Accept).<o:p></o:p></p><p class=MsoPlainText>#<o:p></o:p></p><p class=MsoPlainText># Note that Auth-Type := Accept will NOT work with EAP.<o:p></o:p></p><p class=MsoPlainText>#<o:p></o:p></p><p class=MsoPlainText># Please do not put "unlang" configurations into the "authenticate"<o:p></o:p></p><p class=MsoPlainText># section. Put them in the "post-auth" section instead. That's what<o:p></o:p></p><p class=MsoPlainText># the post-auth section is for.<o:p></o:p></p><p class=MsoPlainText>#<o:p></o:p></p><p class=MsoPlainText>authenticate {<o:p></o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # PAP authentication, when a back-end database listed<o:p></o:p></p><p class=MsoPlainText> # in the 'authorize' section supplies a password. The<o:p></o:p></p><p class=MsoPlainText> # password can be clear-text, or encrypted.<o:p></o:p></p><p class=MsoPlainText> Auth-Type PAP {<o:p></o:p></p><p class=MsoPlainText> pap<o:p></o:p></p><p class=MsoPlainText> }<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # Most people want CHAP authentication<o:p></o:p></p><p class=MsoPlainText> # A back-end database listed in the 'authorize' section<o:p></o:p></p><p class=MsoPlainText> # MUST supply a CLEAR TEXT password. Encrypted passwords<o:p></o:p></p><p class=MsoPlainText> # won't work.<o:p></o:p></p><p class=MsoPlainText> Auth-Type CHAP {<o:p></o:p></p><p class=MsoPlainText> chap<o:p></o:p></p><p class=MsoPlainText> }<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # MSCHAP authentication.<o:p></o:p></p><p class=MsoPlainText> Auth-Type MS-CHAP {<o:p></o:p></p><p class=MsoPlainText> mschap<o:p></o:p></p><p class=MsoPlainText> }<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> # ntlm authentication.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> Auth-Type ntlm_auth {<o:p></o:p></p><p class=MsoPlainText> ntlm_auth<o:p></o:p></p><p class=MsoPlainText> }<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> # If you have a Cisco SIP server authenticating against<o:p></o:p></p><p class=MsoPlainText> # FreeRADIUS, uncomment the following line, and the 'digest'<o:p></o:p></p><p class=MsoPlainText> # line in the 'authorize' section.<o:p></o:p></p><p class=MsoPlainText> digest<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # Pluggable Authentication Modules.<o:p></o:p></p><p class=MsoPlainText># pam<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # See 'man getpwent' for information on how the 'unix'<o:p></o:p></p><p class=MsoPlainText> # module checks the users password. Note that packets<o:p></o:p></p><p class=MsoPlainText> # containing CHAP-Password attributes CANNOT be authenticated<o:p></o:p></p><p class=MsoPlainText> # against /etc/passwd! See the FAQ for details.<o:p></o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # For normal "crypt" authentication, the "pap" module should<o:p></o:p></p><p class=MsoPlainText> # be used instead of the "unix" module. The "unix" module should<o:p></o:p></p><p class=MsoPlainText> # be used for authentication ONLY for compatibility with legacy<o:p></o:p></p><p class=MsoPlainText> # FreeRADIUS configurations.<o:p></o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> unix<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> # Uncomment it if you want to use ldap for authentication<o:p></o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # Note that this means "check plain-text password against<o:p></o:p></p><p class=MsoPlainText> # the ldap database", which means that EAP won't work,<o:p></o:p></p><p class=MsoPlainText> # as it does not supply a plain-text password.<o:p></o:p></p><p class=MsoPlainText># Auth-Type LDAP {<o:p></o:p></p><p class=MsoPlainText># ldap<o:p></o:p></p><p class=MsoPlainText># }<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # Allow EAP authentication.<o:p></o:p></p><p class=MsoPlainText> eap<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # The older configurations sent a number of attributes in<o:p></o:p></p><p class=MsoPlainText> # Access-Challenge packets, which wasn't strictly correct.<o:p></o:p></p><p class=MsoPlainText> # If you want to filter out these attributes, uncomment<o:p></o:p></p><p class=MsoPlainText> # the following lines.<o:p></o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText># Auth-Type eap {<o:p></o:p></p><p class=MsoPlainText># eap {<o:p></o:p></p><p class=MsoPlainText># handled = 1 <o:p></o:p></p><p class=MsoPlainText># }<o:p></o:p></p><p class=MsoPlainText># if (handled && (Response-Packet-Type == Access-Challenge)) {<o:p></o:p></p><p class=MsoPlainText># attr_filter.access_challenge.post-auth<o:p></o:p></p><p class=MsoPlainText># handled # override the "updated" code from attr_filter<o:p></o:p></p><p class=MsoPlainText># }<o:p></o:p></p><p class=MsoPlainText># }<o:p></o:p></p><p class=MsoPlainText>}<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>My / sites-enabled/inner-tunnel file - again, I have just copied the section I have added to...<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText># Authentication.<o:p></o:p></p><p class=MsoPlainText>#<o:p></o:p></p><p class=MsoPlainText>#<o:p></o:p></p><p class=MsoPlainText># This section lists which modules are available for authentication.<o:p></o:p></p><p class=MsoPlainText># Note that it does NOT mean 'try each module in order'. It means<o:p></o:p></p><p class=MsoPlainText># that a module from the 'authorize' section adds a configuration<o:p></o:p></p><p class=MsoPlainText># attribute 'Auth-Type := FOO'. That authentication type is then<o:p></o:p></p><p class=MsoPlainText># used to pick the apropriate module from the list below.<o:p></o:p></p><p class=MsoPlainText>#<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText># In general, you SHOULD NOT set the Auth-Type attribute. The server<o:p></o:p></p><p class=MsoPlainText># will figure it out on its own, and will do the right thing. The<o:p></o:p></p><p class=MsoPlainText># most common side effect of erroneously setting the Auth-Type<o:p></o:p></p><p class=MsoPlainText># attribute is that one authentication method will work, but the<o:p></o:p></p><p class=MsoPlainText># others will not.<o:p></o:p></p><p class=MsoPlainText>#<o:p></o:p></p><p class=MsoPlainText># The common reasons to set the Auth-Type attribute by hand<o:p></o:p></p><p class=MsoPlainText># is to either forcibly reject the user, or forcibly accept him.<o:p></o:p></p><p class=MsoPlainText>#<o:p></o:p></p><p class=MsoPlainText>authenticate {<o:p></o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # PAP authentication, when a back-end database listed<o:p></o:p></p><p class=MsoPlainText> # in the 'authorize' section supplies a password. The<o:p></o:p></p><p class=MsoPlainText> # password can be clear-text, or encrypted.<o:p></o:p></p><p class=MsoPlainText> Auth-Type PAP {<o:p></o:p></p><p class=MsoPlainText> pap<o:p></o:p></p><p class=MsoPlainText> }<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # Most people want CHAP authentication<o:p></o:p></p><p class=MsoPlainText> # A back-end database listed in the 'authorize' section<o:p></o:p></p><p class=MsoPlainText> # MUST supply a CLEAR TEXT password. Encrypted passwords<o:p></o:p></p><p class=MsoPlainText> # won't work.<o:p></o:p></p><p class=MsoPlainText> Auth-Type CHAP {<o:p></o:p></p><p class=MsoPlainText> chap<o:p></o:p></p><p class=MsoPlainText> }<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> # MSCHAP authentication.<o:p></o:p></p><p class=MsoPlainText> Auth-Type MS-CHAP {<o:p></o:p></p><p class=MsoPlainText> mschap<o:p></o:p></p><p class=MsoPlainText> }<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # NTLM authentication.<o:p></o:p></p><p class=MsoPlainText> Auth-Type ntlm_auth {<o:p></o:p></p><p class=MsoPlainText> ntlm_auth<o:p></o:p></p><p class=MsoPlainText> }<o:p></o:p></p><p class=MsoPlainText> # Pluggable Authentication Modules.<o:p></o:p></p><p class=MsoPlainText># pam<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # See 'man getpwent' for information on how the 'unix'<o:p></o:p></p><p class=MsoPlainText> # module checks the users password. Note that packets<o:p></o:p></p><p class=MsoPlainText> # containing CHAP-Password attributes CANNOT be authenticated<o:p></o:p></p><p class=MsoPlainText> # against /etc/passwd! See the FAQ for details.<o:p></o:p></p><p class=MsoPlainText> # <o:p></o:p></p><p class=MsoPlainText> unix<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> # Uncomment it if you want to use ldap for authentication<o:p></o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # Note that this means "check plain-text password against<o:p></o:p></p><p class=MsoPlainText> # the ldap database", which means that EAP won't work,<o:p></o:p></p><p class=MsoPlainText> # as it does not supply a plain-text password.<o:p></o:p></p><p class=MsoPlainText># Auth-Type LDAP {<o:p></o:p></p><p class=MsoPlainText># ldap<o:p></o:p></p><p class=MsoPlainText># }<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> #<o:p></o:p></p><p class=MsoPlainText> # Allow EAP authentication.<o:p></o:p></p><p class=MsoPlainText> eap<o:p></o:p></p><p class=MsoPlainText>}<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>My debug output is as follows<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>rad_recv: Access-Request packet from host 127.0.0.1 port 44992, id=218, length=60<o:p></o:p></p><p class=MsoPlainText> User-Name = "xxxxxxxx"<o:p></o:p></p><p class=MsoPlainText> User-Password = "xxxxxxxxx"<o:p></o:p></p><p class=MsoPlainText> NAS-IP-Address = xxx.xxx.xxx.xxx<o:p></o:p></p><p class=MsoPlainText> NAS-Port = 0<o:p></o:p></p><p class=MsoPlainText># Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<o:p></o:p></p><p class=MsoPlainText>+- entering group authorize {...}<o:p></o:p></p><p class=MsoPlainText>++[preprocess] returns ok<o:p></o:p></p><p class=MsoPlainText>++[chap] returns noop<o:p></o:p></p><p class=MsoPlainText>++[mschap] returns noop<o:p></o:p></p><p class=MsoPlainText>++[digest] returns noop<o:p></o:p></p><p class=MsoPlainText>[suffix] No '@' in User-Name = "xxxxxxxx", looking up realm NULL<o:p></o:p></p><p class=MsoPlainText>[suffix] No such realm "NULL"<o:p></o:p></p><p class=MsoPlainText>++[suffix] returns noop<o:p></o:p></p><p class=MsoPlainText>[eap] No EAP-Message, not doing EAP<o:p></o:p></p><p class=MsoPlainText>++[eap] returns noop<o:p></o:p></p><p class=MsoPlainText>++[files] returns noop<o:p></o:p></p><p class=MsoPlainText>++[expiration] returns noop<o:p></o:p></p><p class=MsoPlainText>++[logintime] returns noop<o:p></o:p></p><p class=MsoPlainText>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<o:p></o:p></p><p class=MsoPlainText>++[pap] returns noop<o:p></o:p></p><p class=MsoPlainText>ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user<o:p></o:p></p><p class=MsoPlainText>Failed to authenticate the user.<o:p></o:p></p><p class=MsoPlainText>Using Post-Auth-Type Reject<o:p></o:p></p><p class=MsoPlainText># Executing group from file /usr/local/etc/raddb/sites-enabled/default<o:p></o:p></p><p class=MsoPlainText>+- entering group REJECT {...}<o:p></o:p></p><p class=MsoPlainText>[attr_filter.access_reject] expand: %{User-Name} -> xxxxxxxxxx<o:p></o:p></p><p class=MsoPlainText> attr_filter: Matched entry DEFAULT at line 11<o:p></o:p></p><p class=MsoPlainText>++[attr_filter.access_reject] returns updated<o:p></o:p></p><p class=MsoPlainText>Delaying reject of request 16 for 1 seconds<o:p></o:p></p><p class=MsoPlainText>Going to the next request<o:p></o:p></p><p class=MsoPlainText>Waking up in 0.9 seconds.<o:p></o:p></p><p class=MsoPlainText>Sending delayed reject for request 16<o:p></o:p></p><p class=MsoPlainText>Sending Access-Reject of id 218 to 127.0.0.1 port 44992<o:p></o:p></p><p class=MsoPlainText>Waking up in 4.9 seconds.<o:p></o:p></p><p class=MsoPlainText>Cleaning up request 16 ID 218 with timestamp +84526<o:p></o:p></p><p class=MsoPlainText>Ready to process requests.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Many thanks<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>