No authenticate method (Auth-Type) found for the request
I know you guys have received tons of e-mail with the same title, but I am just unable to fix this - sorry. Today I setup freeradius on a fresh install OpenWRT router. I found some tutorials, this one among them: http://jackofallit.wordpress.com/2012/02/15/turn-a-60-120-router-into-an-ent... and started the configuration. The "initial radius test" and the "initial wifi radius test" were successful and I connected to the router. Later I did something wrong and now I am getting: : Info: +- entering group authorize {...} : Info: [eap] No EAP-Message, not doing EAP : Info: ++[eap] returns noop : Info: ++[files] returns noop : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. : Info: ++[pap] returns noop : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user : Info: Failed to authenticate the user. I have only modified: clients.conf and users. I have also generated new certificates (per tutorial) and maybe this is where the problem is? I also edited eap.conf section: private_key_password = mypass private_key_file = ${certdir}/server.key The service starts fine (radiusd -XX) but cannot authenticate even from localhost. I am not using LDAP / SQL or any other backend. Please give me some ideas on how I can debug the error. Thanks.
Beeblebrox wrote:
I know you guys have received tons of e-mail with the same title, but I am just unable to fix this - sorry.
Today I setup freeradius on a fresh install OpenWRT router. I found some tutorials, this one among them:
Why not follow the documentation that comes with the server? The web page has a long series of instructions for creating certificates. Whoever wrote it wasted your time, and his. The directory "raddb/certs" has a README. That explains in EXCRUCIATING detail the simplest way to make certificates for the server. It's really not rocket science.
The "initial radius test" and the "initial wifi radius test" were successful and I connected to the router. Later I did something wrong and now I am getting: : Info: +- entering group authorize {...} : Info: [eap] No EAP-Message, not doing EAP : Info: ++[eap] returns noop : Info: ++[files] returns noop : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. : Info: ++[pap] returns noop : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user : Info: Failed to authenticate the user.
The whole point of running in debugging mode is to READ IT. The rest of the information (deleted here) is useful, too.
I have only modified: clients.conf and users. I have also generated new certificates (per tutorial) and maybe this is where the problem is?
The incoming request doesn't use certificate authentication. It's using password authentication. 1) what client did you use to send the Access-Request? 2) what is in the Access-Request? 3) Why did you send the Access-Request? 4) What did you expect would happen?
I also edited eap.conf section: private_key_password = mypass private_key_file = ${certdir}/server.key
The service starts fine (radiusd -XX) but cannot authenticate even from localhost. I am not using LDAP / SQL or any other backend. Please give me some ideas on how I can debug the error.
Follow the instructions, among other things. I don't like repeating myself, but I'm a bit at a loss for what else to do. Alan DeKok.
Hi Alan and thank you so much for answering Keeping in mind that the system in question is an OpenWRT (hence minimal install):
The directory "raddb/certs" has a README The directory is /etc/freeradius2/certs (?) and has no README, also no man pages so as to save on space. Anyway , I read the file from http://openisp.net/openisp/unxsVZ/browser/trunk/unxsRadius/setupradius/raddb... But this is not possible since a router environment is not suitable for git + building things. But more importantly:
The incoming request doesn't use certificate authentication So that means the certificate business is not of immediate relevance to my problem? Good to hear!
1) what client did you use to send the Access-Request? ssh into box and: echo "User-Name = steve, User-Password = testing" | radcli ent -x 192.168.1.2 auth mysecret
3) Why did you send the Access-Request? To debug freeradius config since wifi connection attempt fails with very little info. Also, to isolate any wrong settings on the network config side of the router's admin webpage.
The whole point of running in debugging mode is to READ IT I read the output several times before posting - nothing out of the ordinary and all modules are loaded smoothly. Also, no debug info in /var/log/radius.log - not even when I increase log-level in /etc/freeradius2/radiusd.conf.
config file snippets: users: steve Cleartext-Password := "testing" # Service-Type = Framed-User, # Framed-Protocol = PPP, # Framed-IP-Address = 172.16.3.33, # Framed-IP-Netmask = 255.255.255.0, # Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = "std.ppp", # Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP clients.conf: client localhost { # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) ipaddr = 192.168.1.2 secret = somesecret LASTLY: ı'm used to posting through nabble so I can ensure thread continuance. Since I'm new to this method, apologies if posting through direct e-mail does not post as foloow-up for initial topic.
Beeblebrox wrote:
Keeping in mind that the system in question is an OpenWRT (hence minimal install):
The web site contains documentation. As does the wiki. The distribution "tar" file contains documentation. You're not stuck with just a minimal install on a constrained box.
But this is not possible since a router environment is not suitable for git + building things.
You can run the scripts on another machine, and copy the certificates over to the constrained machine.
But more importantly:
The incoming request doesn't use certificate authentication So that means the certificate business is not of immediate relevance to my problem? Good to hear!
Well, no. The debug log you posted doesn't use certificates. Hence my question about where it came from.
1) what client did you use to send the Access-Request? ssh into box and: echo "User-Name = steve, User-Password = testing" | radcli ent -x 192.168.1.2 auth mysecret
So... it's a test request with a test user and test password. It's not a real request from a client. Did you configure the user on the radius server? i.e. how does the RADIUS server know how to authenticate the user?
3) Why did you send the Access-Request? To debug freeradius config since wifi connection attempt fails with very little info.
That is the point of running the server in debugging mode. Do a WiFi connection, and read the debug output for *that*.
The whole point of running in debugging mode is to READ IT I read the output several times before posting - nothing out of the ordinary and all modules are loaded smoothly.
Messages like "No known good password" don't mean anything?
Also, no debug info in /var/log/radius.log - not even when I increase log-level in /etc/freeradius2/radiusd.conf.
The normal log file is for normal logs. It's not for debug output.
config file snippets: users: steve Cleartext-Password := "testing"
Well... the debug output shows that the "files" module (which handles the users file) returned "noop". i.e. it didn't find that entry. Please read the FAQ about debugging authentication. It gives examples, and detailed instructions. Alan DeKok.
Do a WiFi connection, and read the debug output for *that*. Good idea - I have some progress in debugging:
This snippet shows that at least SSL certs are working & being accepted by radius: ++++-----------------------------------------------------+++ Thu Jan 17 21:58:15 2013 : Info: # Executing section authorize from file /etc/freeradius2/sites/default Thu Jan 17 21:58:15 2013 : Info: +- entering group authorize {...} Thu Jan 17 21:58:15 2013 : Info: [eap] EAP packet type response id 255 length 208 Thu Jan 17 21:58:15 2013 : Info: [eap] Continuing tunnel setup. Thu Jan 17 21:58:15 2013 : Info: ++[eap] returns ok Thu Jan 17 21:58:15 2013 : Info: Found Auth-Type = EAP Thu Jan 17 21:58:15 2013 : Info: # Executing group from file /etc/freeradius2/sites/default Thu Jan 17 21:58:15 2013 : Info: +- entering group authenticate {...} Thu Jan 17 21:58:15 2013 : Info: [eap] Request found, released from the list Thu Jan 17 21:58:15 2013 : Info: [eap] EAP/peap Thu Jan 17 21:58:15 2013 : Info: [eap] processing type peap Thu Jan 17 21:58:15 2013 : Info: [peap] processing EAP-TLS Thu Jan 17 21:58:15 2013 : Debug: TLS Length 198 Thu Jan 17 21:58:15 2013 : Info: [peap] Length Included Thu Jan 17 21:58:15 2013 : Info: [peap] eaptls_verify returned 11 Thu Jan 17 21:58:15 2013 : Info: [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange Thu Jan 17 21:58:16 2013 : Info: [peap] TLS_accept: SSLv3 read client key exchange A Thu Jan 17 21:58:16 2013 : Info: [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] Thu Jan 17 21:58:16 2013 : Info: [peap] <<< TLS 1.0 Handshake [length 0010], Finished Thu Jan 17 21:58:16 2013 : Info: [peap] TLS_accept: SSLv3 read finished A Thu Jan 17 21:58:16 2013 : Info: [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] Thu Jan 17 21:58:16 2013 : Info: [peap] TLS_accept: SSLv3 write change cipher spec A Thu Jan 17 21:58:16 2013 : Info: [peap] >>> TLS 1.0 Handshake [length 0010], Finished Thu Jan 17 21:58:16 2013 : Info: [peap] TLS_accept: SSLv3 write finished A Thu Jan 17 21:58:16 2013 : Info: [peap] TLS_accept: SSLv3 flush data Thu Jan 17 21:58:16 2013 : Info: [peap] (other): SSL negotiation finished successfully Thu Jan 17 21:58:16 2013 : Debug: SSL Connection Established ++++-----------------------------------------------------+++ OTHER INTERESTING CODE I FIND (No NT/LM-Password): ++++-----------------------------------------------------+++ hu Jan 17 21:58:16 2013 : Info: # Executing section authorize from file /etc/freeradius2/sites/default Thu Jan 17 21:58:16 2013 : Info: +- entering group authorize {...} Thu Jan 17 21:58:16 2013 : Info: [eap] EAP packet type response id 2 length 65 Thu Jan 17 21:58:16 2013 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Thu Jan 17 21:58:16 2013 : Info: ++[eap] returns updated Thu Jan 17 21:58:16 2013 : Info: ++[files] returns noop Thu Jan 17 21:58:16 2013 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Thu Jan 17 21:58:16 2013 : Info: ++[pap] returns noop Thu Jan 17 21:58:16 2013 : Info: Found Auth-Type = EAP Thu Jan 17 21:58:16 2013 : Info: # Executing group from file /etc/freeradius2/sites/default Thu Jan 17 21:58:16 2013 : Info: +- entering group authenticate {...} Thu Jan 17 21:58:16 2013 : Info: [eap] Request found, released from the list Thu Jan 17 21:58:16 2013 : Info: [eap] EAP/mschapv2 Thu Jan 17 21:58:16 2013 : Info: [eap] processing type mschapv2 Thu Jan 17 21:58:16 2013 : Info: [mschapv2] # Executing group from file /etc/freeradius2/sites/default Thu Jan 17 21:58:16 2013 : Info: [mschapv2] +- entering group MS-CHAP {...} Thu Jan 17 21:58:16 2013 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Thu Jan 17 21:58:16 2013 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password. Thu Jan 17 21:58:16 2013 : Info: [mschap] Creating challenge hash with username: pospda Thu Jan 17 21:58:16 2013 : Info: [mschap] Client is using MS-CHAPv2 for pospda, we need NT-Password Thu Jan 17 21:58:16 2013 : Info: [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. Thu Jan 17 21:58:16 2013 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect Thu Jan 17 21:58:16 2013 : Info: ++[mschap] returns reject Thu Jan 17 21:58:16 2013 : Info: [eap] Freeing handler Thu Jan 17 21:58:16 2013 : Info: ++[eap] returns reject Thu Jan 17 21:58:16 2013 : Info: Failed to authenticate the user. Thu Jan 17 21:58:16 2013 : Auth: Login incorrect: [pospda/<via Auth-Type = EAP>] (from client localhost port 1 cli 00-1F-1F-91-32-E4 via TLS tunnel) ++++-----------------------------------------------------+++ This I did not configure & probaly should?
how does the RADIUS server know how to authenticate the user?
Many many thanks.
Update: I tried connection from an XP laptop and got the message: Windows was unable to find a certificate to log you on to the network
Hi,
Update: I tried connection from an XP laptop and got the message: Windows was unable to find a certificate to log you on to the network
Windows is telling you that its needing a certificate or doesnt know the certificate. have you installed the CA certificate that your RADIUS server is using onto the client? are you using EAP-TLS? if so, have you made a client certificate and installed it onto the client? have you played with the client (windows) 802.1X settings - you should be trying PEAP I'm guessing (the default value is smartcard certificate alan
Beeblebrox wrote:
Update: I tried connection from an XP laptop and got the message: Windows was unable to find a certificate to log you on to the network
You need to follow the documentation or you will be unsubscribed, and banned from the list. 10+ years of experience shows us that this is the ONLY WAY to convince certain people to read the documentation. - You are using "radiusd -Xx". Don't do that. All of the documentation says "radiusd -X" for a reason. Follow the documentation. - I told you to read the FAQ to see how to configure a user. Your previous message showed you didn't do that. Follow the documentation. - This message shows you have issues with EAP. Go to freeradius.org, click on the "documentation" link. There is an EAP-TLS "howto". It has detailed instructions, including screen shots for XP. It ALWAYS WORKS. If it doesn't work for you, it's because you DID NOT FOLLOW THE DOCUMENTATION. If you think my response is harsh, then see it from my point of view. There are hundreds of pages of easily found documentation that describes exactly what you want to do. I (among many other people) spent years writing it. You can't be bothered to even click a link or two, and follow instructions. If you think my response is rude, keep it to yourself. Any response complaining that we're rude for asking you to follow the documentation will result in you being unsubscribed and banned. Follow the documentation. It's damned easy to do. Alan DeKok.
Dear Alan, First off, thanks again for your help. I fully appreciate that you are giving of your time to answer posts, when you really have no obligation to do so. I know you are one of the developers or project leader since your name keeps coming up on almost every web page that posts something about Freeradius. That said, I would like to comment on the documentation of your project. It's quite extensive, but equally confusing (at least for me). I am a FreeBSD user and have a pretty good handle on many advanced issues in that OS - so I think I am fairly capable of reading and implementing documentation. However, I have found that your documentation assumes too much, does not follow much of a logical path, is not organized by topic, does not "get to the point" and does not have concrete examples / solutions to at least recurring and common mistakes or errors. When reading documentation, I'm not interested in becoming an expert in that subject, I just want to get the damn thing up and working. So in essence, I'm not able to find the answers I'm looking for in your documentation, and that's frustrating. I have found (in debugging other software problems) that it is very important for the person who knows more and is assisting, to ask the right questions. Honestly, I have understoode very little from your posts in this thread (with exception of the last one). Asking some specific questions, then posting relevant links to the wiki (depending on the answers from the OP) would be immensly more helpful. I suggest that you have links in your signature to the entry-level wiki pages (like faq, debug, etc).
If you think my response is rude, keep it to yourself. I don't think that at all and as stated, very much appreciated your input and taking time (again, without obligation) to provide help. In fact, I previously refrained on commenting on how I disliked the documentation structure so as not to appear rude to you.
will result in you being unsubscribed and banned. Fascinating! I'm enthralled.
Beeblebrox wrote:
First off, thanks again for your help. I fully appreciate that you are giving of your time to answer posts, when you really have no obligation to do so. I know you are one of the developers or project leader since your name keeps coming up on almost every web page that posts something about Freeradius.
I started FreeRADIUS. I've written most of the code. I've been doing this for ~14 years. And now, probably 50% of the new RADIUS specifications are mine.
That said, I would like to comment on the documentation of your project. It's quite extensive, but equally confusing (at least for me).
http://freeradius.org/doc/ contains documentation for all of the problems you've seen so far. That documentation is given in pretty excruciating detail. "edit this, run that command, see this output". And yet... most people who have problems start off with third-party web sites that are *worse*, in my opinion. They tell you to do things which aren't necessary, and they give wrong explanations.
I am a FreeBSD user and have a pretty good handle on many advanced issues in that OS - so I think I am fairly capable of reading and implementing documentation. However, I have found that your documentation assumes too much, does not follow much of a logical path, is not organized by topic, does not "get to the point" and does not have concrete examples / solutions to at least recurring and common mistakes or errors.
As I've been saying for !4 years: the community is free to write better documentation. No, that's not true... I've been *begging* for better documentation. It doesn't happen.
When reading documentation, I'm not interested in becoming an expert in that subject, I just want to get the damn thing up and working. So in essence, I'm not able to find the answers I'm looking for in your documentation, and that's frustrating.
Please explain how the "pap" and "EAP" guides don't do what you're asking for. They follow a logical path. They are clearly labeled by topic. They get to the point. They give concrete examples. Now, much *else* in the server doesn't have that. But the issues you ran into are documented *exactly* as you want. For the rest, the comments in the configuration file describe in great detail how the server works, and what the configurations do. And about "becoming an expert"... it helps to *understand* what you're doing. Many of the problems people run into are because they read crappy third-party documentation, and are obsessed with implementing a particular solution. They don't care to listen to the experts *here* who are telling them to do something else. And they don't care to *understand* what they're doing, so that they can do it *right*.
I have found (in debugging other software problems) that it is very important for the person who knows more and is assisting, to ask the right questions. Honestly, I have understoode very little from your posts in this thread (with exception of the last one). Asking some specific questions, then posting relevant links to the wiki (depending on the answers from the OP) would be immensly more helpful. I suggest that you have links in your signature to the entry-level wiki pages (like faq, debug, etc).
So... I'm supposed to cut & paste links from the wiki, because you... what... don't want to look there? Can't use the "search" button on the wiki? And add *more* links saying "please read the FAQ"? That's a terrible suggestion.
If you think my response is rude, keep it to yourself. I don't think that at all and as stated, very much appreciated your input and taking time (again, without obligation) to provide help. In fact, I previously refrained on commenting on how I disliked the documentation structure so as not to appear rude to you.
It's a pro-active comment. Most of the time when I say "I REALLY MEAN READ THE DOCUMENTATION", people get offended and accuse me of being rude.
will result in you being unsubscribed and banned. Fascinating! I'm enthralled.
It's the only way to convince certain people to READ THE DOCUMENTATION. It's not hard. Go to the web site. Click on "documentation". The PAP / EAP issues you were having are documented from there, in great detail, exactly how you want. What *else* should we be doing to convince people to READ IT? Write it on flaming letters 150 feet high? It's already in the "man" pages, web pages, daily posts to this list, top entries on google. Alan DeKok.
Just writing to advise of the strange issues I came accross. 1. The Authentication issue was solved when by accident I placed in users the name / password without any whitespace (<tab> or <space>) before the password string. So I found that this works: bob Cleartext-Password := "hello888" while this does not: bob Cleartext-Password := "hello888" Test client now logs in very smoothly. 2. Similarly, below spec gives error (probably my mistake): DEFAULT Simultaneous-Use := 4 Fall-Through = Yes /etc/freeradius2/users[8]: Parse error (check) for entry Simultaneous-Use: Unknown attribute "" requires a hex string, not "4" Errors reading /etc/freeradius2/users /etc/freeradius2/modules/files[7]: Instantiation failed for module "files" /etc/freeradius2/sites/default[170]: Failed to find "files" in the "modules" section. /etc/freeradius2/sites/default[69]: Errors parsing authorize section. Off the top, I would venture to guess that OpenWRT's build of FreeRadius is significantly different than the "standard build" and that is probably where the bug is coming from.
Beeblebrox wrote:
Just writing to advise of the strange issues I came accross.
1. The Authentication issue was solved when by accident I placed in users the name / password without any whitespace (<tab> or <space>) before the password string. So I found that this works: bob Cleartext-Password := "hello888" while this does not: bob Cleartext-Password := "hello888" Test client now logs in very smoothly.
This is documented. See "man users", and the comments in the "users" file, and in the dozens of examples.
2. Similarly, below spec gives error (probably my mistake): DEFAULT Simultaneous-Use := 4 Fall-Through = Yes
/etc/freeradius2/users[8]: Parse error (check) for entry Simultaneous-Use: Unknown attribute "" requires a hex string, not "4" Errors reading /etc/freeradius2/users /etc/freeradius2/modules/files[7]: Instantiation failed for module "files" /etc/freeradius2/sites/default[170]: Failed to find "files" in the "modules" section. /etc/freeradius2/sites/default[69]: Errors parsing authorize section.
Off the top, I would venture to guess that OpenWRT's build of FreeRadius is significantly different than the "standard build" and that is probably where the bug is coming from.
It's because you're again not following the documentation. Read the documentation and follow it. It's not rocket science. If you post another message indicating you've been ignoring the documentation, you will be unsubscribed and banned. I've had it with people who whine about the bad documentation, and then fanatically refuse to follow it. Get off your high horse about the documentation. It's fine. THE PROBLEM IS YOU. Alan DeKok.
Hi,
1. The Authentication issue was solved when by accident I placed in users the name / password without any whitespace (<tab> or <space>) before the password string. So I found that this works: bob Cleartext-Password := "hello888" while this does not: bob Cleartext-Password := "hello888"
errr, yes. because , as per the documentation, lines that dont start with white-sace are CHECK items, lines that start with whitespace are REPLY items
Off the top, I would venture to guess that OpenWRT's build of FreeRadius is significantly different than the "standard build" and that is probably where the bug is coming from.
no, not at all alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Beeblebrox