ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
People, I have working OK a Freeradius with AD Authentication and LDAP Authorization. Everything is OK when I use my service to authenticate users for the WiFi service. But now I want to add a Cisco Firepower IPS authentication, and I fail. The Cisco Firepower IPS has a Radius configuration interface where I fill out all the basic necessary data: Radius IP and port, Secret and Default User Role. In the Freeradius server, I have edited /etc/freeradius/sites-available/defaullt and inner-tunnel files, adding a clause similar to the current ones, as follow (the unique condition is the user belongs to IPS LDAP group): if ..... ....... elsif (LDAP-Group == "IPS") { update reply { Reply-Message = "Hello %{User-Name}: Access enabled to Firepower" } ok } else { reject } and the Freeradius debug output is this: rlm_ldap::ldap_groupcmp: User found in group WiFi-Corp [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "IPS") -> TRUE ++? elsif (LDAP-Group == "IPS") -> TRUE ++elsif (LDAP-Group == "IPS") { +++update reply { expand: Hello %{User-Name}: Access enabled to Firepower -> Hello adam: Access enabled to Firepower +++} # update reply = noop +++[ok] = ok ++} # elsif (LDAP-Group == "IPS") = ok ++ ... skipping else for request 203: Preceding "if" was taken +} # group authorize = ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> adam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 203 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 203 Sending Access-Reject of id 147 to 172.20.1.1 port 52154 Reply-Message = "Hello adam: Access enabled to Firepower" Please can you help me??? Special thanks :) ADAM
need more of the debug output. its likely that you havent enabled require authentication type in the outer (default tunnel) alan On 25 September 2017 at 15:13, Adam Cage <adamcage27@gmail.com> wrote:
People, I have working OK a Freeradius with AD Authentication and LDAP Authorization. Everything is OK when I use my service to authenticate users for the WiFi service.
But now I want to add a Cisco Firepower IPS authentication, and I fail. The Cisco Firepower IPS has a Radius configuration interface where I fill out all the basic necessary data: Radius IP and port, Secret and Default User Role.
In the Freeradius server, I have edited /etc/freeradius/sites-available/defaullt and inner-tunnel files, adding a clause similar to the current ones, as follow (the unique condition is the user belongs to IPS LDAP group):
if ..... ....... elsif (LDAP-Group == "IPS") { update reply { Reply-Message = "Hello %{User-Name}: Access enabled to Firepower" } ok } else { reject }
and the Freeradius debug output is this:
rlm_ldap::ldap_groupcmp: User found in group WiFi-Corp [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "IPS") -> TRUE ++? elsif (LDAP-Group == "IPS") -> TRUE ++elsif (LDAP-Group == "IPS") { +++update reply { expand: Hello %{User-Name}: Access enabled to Firepower -> Hello adam: Access enabled to Firepower +++} # update reply = noop +++[ok] = ok ++} # elsif (LDAP-Group == "IPS") = ok ++ ... skipping else for request 203: Preceding "if" was taken +} # group authorize = ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> adam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 203 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 203 Sending Access-Reject of id 147 to 172.20.1.1 port 52154 Reply-Message = "Hello adam: Access enabled to Firepower"
Please can you help me???
Special thanks :)
ADAM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 25, 2017, at 10:13 AM, Adam Cage <adamcage27@gmail.com> wrote:
People, I have working OK a Freeradius with AD Authentication and LDAP Authorization. Everything is OK when I use my service to authenticate users for the WiFi service.
That's good.
But now I want to add a Cisco Firepower IPS authentication, and I fail. The Cisco Firepower IPS has a Radius configuration interface where I fill out all the basic necessary data: Radius IP and port, Secret and Default User Role.
If the policies are very different from WiFi, you might want to user a different virtual server. See raddb/sites-available/README
In the Freeradius server, I have edited /etc/freeradius/sites-available/defaullt and inner-tunnel files, adding a clause similar to the current ones, as follow (the unique condition is the user belongs to IPS LDAP group):
if ..... ....... elsif (LDAP-Group == "IPS") { update reply { Reply-Message = "Hello %{User-Name}: Access enabled to Firepower" } ok } else { reject }
and the Freeradius debug output is this:
OK...
rlm_ldap::ldap_groupcmp: User found in group WiFi-Corp [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "IPS") -> TRUE ++? elsif (LDAP-Group == "IPS") -> TRUE ++elsif (LDAP-Group == "IPS") { +++update reply { expand: Hello %{User-Name}: Access enabled to Firepower -> Hello adam: Access enabled to Firepower +++} # update reply = noop +++[ok] = ok ++} # elsif (LDAP-Group == "IPS") = ok ++ ... skipping else for request 203: Preceding "if" was taken +} # group authorize = ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user.
Well that's clear.
Please can you help me???
Do you want to authenticate those users? If so, how? LDAP? Where are their accounts stored? Right now, you're not authenticating them at all. Alan DeKok.
Dear, thanks to both of you. For WiFi service, I authenticate the users against te AD following Alan Dekok's tutorial...that works OK. And also I authorize the users against LDAP (from AD), enabling ldap line in default and inner-tunnel files and evaluating if users belong or not to given certain groups using the Ldap-Groups attribute...that works OK too. Now I have an IPS device, with 3 users that have to manage it and they belong to a LDAP group that is used in the WiFi service, so I think the police is the same. In this case I want to authenticate any of these 3 users, and authorize them evaluating if they belong to the IPS group. I think the authentication method is the same as I'm using right now for WiFi service (defined for AD as described in Alan Dekok's tutorial). Please, should I add more details or can you hel me??? Regards! ADAM 2017-09-25 11:23 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Sep 25, 2017, at 10:13 AM, Adam Cage <adamcage27@gmail.com> wrote:
People, I have working OK a Freeradius with AD Authentication and LDAP Authorization. Everything is OK when I use my service to authenticate
users
for the WiFi service.
That's good.
But now I want to add a Cisco Firepower IPS authentication, and I fail. The Cisco Firepower IPS has a Radius configuration interface where I fill out all the basic necessary data: Radius IP and port, Secret and Default User Role.
If the policies are very different from WiFi, you might want to user a different virtual server. See raddb/sites-available/README
In the Freeradius server, I have edited /etc/freeradius/sites-available/defaullt and inner-tunnel files, adding a clause similar to the current ones, as follow (the unique condition is the user belongs to IPS LDAP group):
if ..... ....... elsif (LDAP-Group == "IPS") { update reply { Reply-Message = "Hello %{User-Name}: Access enabled to Firepower" } ok } else { reject }
and the Freeradius debug output is this:
OK...
rlm_ldap::ldap_groupcmp: User found in group WiFi-Corp [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "IPS") -> TRUE ++? elsif (LDAP-Group == "IPS") -> TRUE ++elsif (LDAP-Group == "IPS") { +++update reply { expand: Hello %{User-Name}: Access enabled to Firepower -> Hello adam: Access enabled to Firepower +++} # update reply = noop +++[ok] = ok ++} # elsif (LDAP-Group == "IPS") = ok ++ ... skipping else for request 203: Preceding "if" was taken +} # group authorize = ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user.
Well that's clear.
Please can you help me???
Do you want to authenticate those users? If so, how? LDAP? Where are their accounts stored?
Right now, you're not authenticating them at all.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Sep 25, 2017, at 12:01 PM, Adam Cage <adamcage27@gmail.com> wrote:
For WiFi service, I authenticate the users against te AD following Alan Dekok's tutorial...that works OK. And also I authorize the users against LDAP (from AD), enabling ldap line in default and inner-tunnel files and evaluating if users belong or not to given certain groups using the Ldap-Groups attribute...that works OK too.
That's good, but you already said that. Please focus on fixing the problem, not describing things that already work.
Now I have an IPS device, with 3 users that have to manage it and they belong to a LDAP group that is used in the WiFi service, so I think the police is the same.
You "think"? Are these people doing WiFi authentication when the log into the IPS device?
In this case I want to authenticate any of these 3 users, and authorize them evaluating if they belong to the IPS group. I think the authentication method is the same as I'm using right now for WiFi service (defined for AD as described in Alan Dekok's tutorial).
While they might still authenticate to AD, the policies are rather different.
Please, should I add more details or can you hel me???
read raddb/sites-available/README You will want create a *new* virtual server, specifically for the IPS rules. Copy the "default" virtual server. Change the name to "server ips { ...}". Delete all references to EAP. Set up the IPS client in clients.conf with "virtual_server = ips" The problem is that you don't know what the differences are between WiFi auth and the authentication used by the IPS server. You can run the server in debug mode, and READ THE OUTPUT to see the differences. They're not the same. You can also read the documentation I suggested that you read. Or, you can keep trying random things, and never get the problem solved. Alan DeKok.
Dear Alan, I've followed your advice and it works OK, but not in the way I want: - Virtual server defined in /etc/freeradius/sites-available/ips - This virtual server file has the following authentication section: authenticate { ntlm_auth ... } - When I try to login the user, I get the error: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. But if I edit /etc/freeradius/users file adding at top (and maintaining the ntlm_auth line in the virtual server file): DEFAULT Auth-Type = ntlm_auth now the users can authenticate and login OK !!! Please can you tell me why the first configuration doesn't work ??? Do I have to use the "DEFAULT Auth-Type = ntlm_auth" in order to put to work the authentication ??? Take into account I've followed your "Authentication with Active Directory" tutorial. Thanks a lot, ADAM 2017-09-25 13:10 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Sep 25, 2017, at 12:01 PM, Adam Cage <adamcage27@gmail.com> wrote:
For WiFi service, I authenticate the users against te AD following Alan Dekok's tutorial...that works OK. And also I authorize the users against LDAP (from AD), enabling ldap line in default and inner-tunnel files and evaluating if users belong or not to given certain groups using the Ldap-Groups attribute...that works OK too.
That's good, but you already said that. Please focus on fixing the problem, not describing things that already work.
Now I have an IPS device, with 3 users that have to manage it and they belong to a LDAP group that is used in the WiFi service, so I think the police is the same.
You "think"? Are these people doing WiFi authentication when the log into the IPS device?
In this case I want to authenticate any of these 3 users, and authorize them evaluating if they belong to the IPS group. I think the authentication method is the same as I'm using right now for WiFi service (defined for AD as described in Alan Dekok's tutorial).
While they might still authenticate to AD, the policies are rather different.
Please, should I add more details or can you hel me???
read raddb/sites-available/README
You will want create a *new* virtual server, specifically for the IPS rules.
Copy the "default" virtual server. Change the name to "server ips { ...}". Delete all references to EAP. Set up the IPS client in clients.conf with "virtual_server = ips"
The problem is that you don't know what the differences are between WiFi auth and the authentication used by the IPS server. You can run the server in debug mode, and READ THE OUTPUT to see the differences. They're not the same.
You can also read the documentation I suggested that you read.
Or, you can keep trying random things, and never get the problem solved.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Sep 28, 2017, at 11:07 AM, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan, I've followed your advice and it works OK, but not in the way I want:
- Virtual server defined in /etc/freeradius/sites-available/ips
- This virtual server file has the following authentication section:
authenticate { ntlm_auth ... }
Which says "it's allowed to use ntlm_auth as one of the authentication methods", not "this request should use ntlm_auth".
- When I try to login the user, I get the error:
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user.
But if I edit /etc/freeradius/users file adding at top (and maintaining the ntlm_auth line in the virtual server file):
DEFAULT Auth-Type = ntlm_auth
now the users can authenticate and login OK !!!
Yes, because you have to tell the server how to authenticate the user. The standard modules do this automatically. e.g. PAP sets Auth-Type PAP, CHAP sets Auth-Type CHAP, etc. If none of the modules set Auth-Type, you have to do it manually. Alan DeKok.
Hi Alan, please I'm lost....I don't know what file to edit and how... Your tutorial use ntlm_atuth for mschap, and I've configured this because I tell you everything worked Ok, except when I add this new virtual server. Please can you tell me how can I do in order to force ntlm_auth for the user logins ??? Can you detail in more details please, either setting Auth-Type manually or not ??? Thanks again, ADAM 2017-09-28 12:32 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Sep 28, 2017, at 11:07 AM, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan, I've followed your advice and it works OK, but not in the way I want:
- Virtual server defined in /etc/freeradius/sites-available/ips
- This virtual server file has the following authentication section:
authenticate { ntlm_auth ... }
Which says "it's allowed to use ntlm_auth as one of the authentication methods", not "this request should use ntlm_auth".
- When I try to login the user, I get the error:
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user.
But if I edit /etc/freeradius/users file adding at top (and maintaining the ntlm_auth line in the virtual server file):
DEFAULT Auth-Type = ntlm_auth
now the users can authenticate and login OK !!!
Yes, because you have to tell the server how to authenticate the user.
The standard modules do this automatically. e.g. PAP sets Auth-Type PAP, CHAP sets Auth-Type CHAP, etc.
If none of the modules set Auth-Type, you have to do it manually.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
if the server recognises the auth type, it will use the right method....so, if you call eg pap or mschap in the authorise section it'll do some packet checking and work things out... the default config pretty much works out of the box. if you MUST override the server logic and call a particular type of authentication using a module config then use either unlang or the users file eg in unlang update control { Auth-Type := ntml_auth } in the authorise section alan
On Sep 28, 2017, at 12:16 PM, Adam Cage <adamcage27@gmail.com> wrote:
Hi Alan, please I'm lost....I don't know what file to edit and how...
Your tutorial use ntlm_atuth for mschap, and I've configured this because I tell you everything worked Ok, except when I add this new virtual server.
You can set "Auth-Type := ntlm_auth" in the "authorize" section of the new virtual server.
Please can you tell me how can I do in order to force ntlm_auth for the user logins ??? Can you detail in more details please, either setting Auth-Type manually or not ???
There's no magic here. If you create a new virtual server, you can copy text into it. It's that simple. Alan DeKok.
participants (3)
-
Adam Cage -
Alan Buxey -
Alan DeKok