Dear Alan, I've followed your advice and it works OK, but not in the way I want: - Virtual server defined in /etc/freeradius/sites-available/ips - This virtual server file has the following authentication section: authenticate { ntlm_auth ... } - When I try to login the user, I get the error: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. But if I edit /etc/freeradius/users file adding at top (and maintaining the ntlm_auth line in the virtual server file): DEFAULT Auth-Type = ntlm_auth now the users can authenticate and login OK !!! Please can you tell me why the first configuration doesn't work ??? Do I have to use the "DEFAULT Auth-Type = ntlm_auth" in order to put to work the authentication ??? Take into account I've followed your "Authentication with Active Directory" tutorial. Thanks a lot, ADAM 2017-09-25 13:10 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Sep 25, 2017, at 12:01 PM, Adam Cage <adamcage27@gmail.com> wrote:
For WiFi service, I authenticate the users against te AD following Alan Dekok's tutorial...that works OK. And also I authorize the users against LDAP (from AD), enabling ldap line in default and inner-tunnel files and evaluating if users belong or not to given certain groups using the Ldap-Groups attribute...that works OK too.
That's good, but you already said that. Please focus on fixing the problem, not describing things that already work.
Now I have an IPS device, with 3 users that have to manage it and they belong to a LDAP group that is used in the WiFi service, so I think the police is the same.
You "think"? Are these people doing WiFi authentication when the log into the IPS device?
In this case I want to authenticate any of these 3 users, and authorize them evaluating if they belong to the IPS group. I think the authentication method is the same as I'm using right now for WiFi service (defined for AD as described in Alan Dekok's tutorial).
While they might still authenticate to AD, the policies are rather different.
Please, should I add more details or can you hel me???
read raddb/sites-available/README
You will want create a *new* virtual server, specifically for the IPS rules.
Copy the "default" virtual server. Change the name to "server ips { ...}". Delete all references to EAP. Set up the IPS client in clients.conf with "virtual_server = ips"
The problem is that you don't know what the differences are between WiFi auth and the authentication used by the IPS server. You can run the server in debug mode, and READ THE OUTPUT to see the differences. They're not the same.
You can also read the documentation I suggested that you read.
Or, you can keep trying random things, and never get the problem solved.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html