No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Dear All, I am about deploying an AAA services: All authentication is centralized on my freeradius-server (on debian lenny), in the green zone behind ipcop in which I installed ipcop addons called copspot ( like chilispot) for the captive portal. The authentication worked well locally against openldap (in the same server). When an user try to connect to internet in the Blue Zone (WLAN), it generates the following error in the radius-server. I am really stuck here, any help will be welcome. Thu Apr 22 14:14:51 2010 : Debug: } Thu Apr 22 14:14:51 2010 : Debug: Listening on authentication address * port 1812 Thu Apr 22 14:14:51 2010 : Debug: Listening on accounting address * port 1813 Thu Apr 22 14:14:51 2010 : Debug: Listening on proxy address * port 1814 Thu Apr 22 14:14:51 2010 : Info: Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.1 port 32790, id=0, length=216 User-Name = "kkigor14" CHAP-Challenge = 0xd12e07a5f57980aa86a4aa049fc7bb40 CHAP-Password = 0x0005cff525e5508c82bc3ebb315c0b09e5 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.4.7 Calling-Station-Id = "00-21-63-6B-C8-40" Called-Station-Id = "00-08-74-D4-7A-F5" NAS-Identifier = "nas01" Acct-Session-Id = "4bd058be00000003" NAS-Port-Type = Wireless-802.11 NAS-Port = 3 Message-Authenticator = 0x5d8d6302e9684a55c2db247bdafc022e WISPr-Logoff-URL = "http://192.168.4.1:3990/logoff" Thu Apr 22 14:17:59 2010 : Info: +- entering group authorize {...} Thu Apr 22 14:17:59 2010 : Info: ++[preprocess] returns ok Thu Apr 22 14:17:59 2010 : Info: [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.2.1/auth-detail-20100422 Thu Apr 22 14:17:59 2010 : Info: [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.1/auth-detail-20100422 Thu Apr 22 14:17:59 2010 : Info: [auth_log] expand: %t -> Thu Apr 22 14:17:59 2010 Thu Apr 22 14:17:59 2010 : Info: ++[auth_log] returns ok Thu Apr 22 14:17:59 2010 : Info: [suffix] No '@' in User-Name = "kkigor14", looking up realm NULL Thu Apr 22 14:17:59 2010 : Info: [suffix] No such realm "NULL" Thu Apr 22 14:17:59 2010 : Info: ++[suffix] returns noop Thu Apr 22 14:17:59 2010 : Info: [eap] No EAP-Message, not doing EAP Thu Apr 22 14:17:59 2010 : Info: ++[eap] returns noop Thu Apr 22 14:17:59 2010 : Info: ++[unix] returns notfound Thu Apr 22 14:17:59 2010 : Info: [ldap] performing user authorization for kkigor14 Thu Apr 22 14:17:59 2010 : Info: [ldap] expand: %{Stripped-User-Name} -> Thu Apr 22 14:17:59 2010 : Info: [ldap] ... expanding second conditional Thu Apr 22 14:17:59 2010 : Info: [ldap] expand: %{User-Name} -> kkigor14 Thu Apr 22 14:17:59 2010 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=kkigor14) Thu Apr 22 14:17:59 2010 : Info: [ldap] expand: dc=csimaroc, dc=lan -> dc=csimaroc, dc=lan Thu Apr 22 14:17:59 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Apr 22 14:17:59 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Apr 22 14:17:59 2010 : Debug: [ldap] attempting LDAP reconnection Thu Apr 22 14:17:59 2010 : Debug: [ldap] (re)connect to 127.0.0.1:389, authentication 0 Thu Apr 22 14:17:59 2010 : Debug: [ldap] bind as / to 127.0.0.1:389 Thu Apr 22 14:17:59 2010 : Debug: [ldap] waiting for bind result ... Thu Apr 22 14:17:59 2010 : Debug: [ldap] Bind was successful Thu Apr 22 14:17:59 2010 : Debug: [ldap] performing search in dc=csimaroc, dc=lan, with filter (uid=kkigor14) Thu Apr 22 14:17:59 2010 : Info: [ldap] No default NMAS login sequence Thu Apr 22 14:17:59 2010 : Info: [ldap] looking for check items in directory... Thu Apr 22 14:17:59 2010 : Debug: [ldap] sambaNtPassword -> NT-Password == 0x4535334337353245323438413034353342353531353646383131303237453139 Thu Apr 22 14:17:59 2010 : Debug: [ldap] sambaLmPassword -> LM-Password == 0x4432433038394334374245444535364641414433423433354235313430344545 Thu Apr 22 14:17:59 2010 : Info: [ldap] looking for reply items in directory... Thu Apr 22 14:17:59 2010 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Thu Apr 22 14:17:59 2010 : Info: [ldap] user kkigor14 authorized to use remote access Thu Apr 22 14:17:59 2010 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Apr 22 14:17:59 2010 : Info: ++[ldap] returns ok Thu Apr 22 14:17:59 2010 : Info: ++[expiration] returns noop Thu Apr 22 14:17:59 2010 : Info: ++[logintime] returns noop Thu Apr 22 14:17:59 2010 : Info: [pap] Normalizing NT-Password from hex encoding Thu Apr 22 14:17:59 2010 : Info: [pap] Normalizing LM-Password from hex encoding Thu Apr 22 14:17:59 2010 : Info: [pap] No clear-text password in the request. Not performing PAP. Thu Apr 22 14:17:59 2010 : Info: ++[pap] returns noop Thu Apr 22 14:17:59 2010 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Thu Apr 22 14:17:59 2010 : Info: Failed to authenticate the user. Thu Apr 22 14:17:59 2010 : Info: Using Post-Auth-Type Reject Thu Apr 22 14:17:59 2010 : Info: +- entering group REJECT {...} Thu Apr 22 14:17:59 2010 : Info: [attr_filter.access_reject] expand: %{User-Name} -> kkigor14 Thu Apr 22 14:17:59 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11 Thu Apr 22 14:17:59 2010 : Info: ++[attr_filter.access_reject] returns updated Thu Apr 22 14:17:59 2010 : Info: Delaying reject of request 0 for 1 seconds Thu Apr 22 14:17:59 2010 : Debug: Going to the next request Thu Apr 22 14:17:59 2010 : Debug: Waking up in 0.9 seconds. Thu Apr 22 14:18:00 2010 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 0 to 192.168.2.1 port 32790 Thu Apr 22 14:18:00 2010 : Debug: Waking up in 4.9 seconds. Thu Apr 22 14:18:05 2010 : Info: Cleaning up request 0 ID 0 with timestamp +188 Thu Apr 22 14:18:05 2010 : Info: Ready to process requests. All the Best -- ----------------------------------------------------------------- |JJohnny RANDRIAMAMPIONONA | | Phone: +212663682554 | | National School of Applied Sciences | | 1818 TANGIER 90000 | |----------------------------------------------------------------|
Johnny R wrote:
The authentication worked well locally against openldap (in the same server). When an user try to connect to internet in the Blue Zone (WLAN), it generates the following error in the radius-server. I am really stuck here, any help will be welcome.
Look at the debug log. The packet contains CHAP, and the database has only NT-Password and LM-Passwords. They are simply not compatible: http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok.
Hi again List, Thank very much Alan, I am so sorry if I am a little bit bothering ... but all seems to be jumbled in my head. So I have some questions: - is the cipher login/password which comes from CopSpot(or any captive portal) deciphered before ipcop sends it to freeradius-server? (It's a kind of question which can not be asked here but ... never know) - the authentication type set in ipcop is just "radius" (and its ip), so I don't understand why the packet contains CHAP? according to http://deployingradius.com/documents/configuration/active_directory.html, centralizing the authentication in samba will work fine, but I want to do it against ldap. I think, what's wrong here is that I added users by smbldap-useradd, not simply ldapadd (which won't work actually, it says: "invalid credentials") ... - So how can I force freeradius to use pap (to be able to authenticate it against ldap) even the passwd/login is tls ciphered (from chilispot)????I m really convinced that that's not possible, even senseless but I have to know why ... Finally, once again, I really want to thank the list for your availability, the freeradius dev. team, because this is a success for the open source community. Thanks, On Thu, Apr 22, 2010 at 4:45 PM, Alan DeKok <aland@deployingradius.com>wrote:
Johnny R wrote:
The authentication worked well locally against openldap (in the same server). When an user try to connect to internet in the Blue Zone (WLAN), it generates the following error in the radius-server. I am really stuck here, any help will be welcome.
Look at the debug log. The packet contains CHAP, and the database has only NT-Password and LM-Passwords. They are simply not compatible:
http://deployingradius.com/documents/protocols/compatibility.html
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- |JJohnny RANDRIAMAMPIONONA | | Phone: +212663682554 | | National School of Applied Sciences | | 1818 TANGIER 90000 | |----------------------------------------------------------------|
Hi,
* is the cipher login/password which comes from CopSpot(or any captive portal) deciphered before ipcop sends it to freeradius-server? (It's a kind of question which can not be asked here but ... never know)
if the server says its CHAP then its probably sent as CHAP rather than PAP...
* the authentication type set in ipcop is just "radius" (and its ip), so I don't understand why the packet contains CHAP?
RADIUS is the method of AAA - the CHAP is what the NAS/AP/captive system is sending the user details as CHAP and DB is a problem.... check your CopSpot system to see if that method can be changed.... alan
Johnny R wrote:
* is the cipher login/password which comes from CopSpot(or any captive portal) deciphered before ipcop sends it to freeradius-server? (It's a kind of question which can not be asked here but ... never know)
I have no idea what that means.
* the authentication type set in ipcop is just "radius" (and its ip), so I don't understand why the packet contains CHAP?
<shrug> Go ask the ipcop people.
according to http://deployingradius.com/documents/configuration/active_directory.html, centralizing the authentication in samba will work fine, but I want to do it against ldap. I think, what's wrong here is that I added users by smbldap-useradd, not simply ldapadd (which won't work actually, it says: "invalid credentials") ...
* So how can I force freeradius to use pap
You can't. The NAS (ipcop) determines what to put in the Access-Request, not FreeRADIUS. You need to put the clear-text password into the database. That's the only thing you can do to FreeRADIUS which will help.
(to be able to authenticate it against ldap) even the passwd/login is tls ciphered (from chilispot)????I m really convinced that that's not possible, even senseless but I have to know why ...
I have no idea what that means.
Finally, once again, I really want to thank the list for your availability, the freeradius dev. team, because this is a success for the open source community. Thanks,
It's what I do... Alan DeKok.
Hi all, Problem solved about CopSpot and Freeradius, it works against the user file (not OpenLDAP). Actually, I am wondering if I can do the authentication using eap-tls module. I enabled it and it gave me the following output: Tue Apr 27 11:12:19 2010 : Debug: radiusd: #### Loading Virtual Servers #### Tue Apr 27 11:12:19 2010 : Debug: server inner-tunnel { Tue Apr 27 11:12:19 2010 : Debug: modules { Tue Apr 27 11:12:19 2010 : Debug: Module: Checking authenticate {...} for more modules to load Tue Apr 27 11:12:19 2010 : Debug: (Loaded rlm_pap, checking if it's valid) Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to module rlm_pap Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating pap Tue Apr 27 11:12:19 2010 : Debug: pap { Tue Apr 27 11:12:19 2010 : Debug: encryption_scheme = "auto" Tue Apr 27 11:12:19 2010 : Debug: auto_header = no Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Debug: (Loaded rlm_chap, checking if it's valid) Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to module rlm_chap Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating chap Tue Apr 27 11:12:19 2010 : Debug: (Loaded rlm_mschap, checking if it's valid) Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to module rlm_mschap Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating mschap Tue Apr 27 11:12:19 2010 : Debug: mschap { Tue Apr 27 11:12:19 2010 : Debug: use_mppe = yes Tue Apr 27 11:12:19 2010 : Debug: require_encryption = no Tue Apr 27 11:12:19 2010 : Debug: require_strong = no Tue Apr 27 11:12:19 2010 : Debug: with_ntdomain_hack = no Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Debug: (Loaded rlm_unix, checking if it's valid) Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to module rlm_unix Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating unix Tue Apr 27 11:12:19 2010 : Debug: unix { Tue Apr 27 11:12:19 2010 : Debug: radwtmp = "/var/log/freeradius/radwtmp" Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Debug: (Loaded rlm_eap, checking if it's valid) Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to module rlm_eap Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating eap Tue Apr 27 11:12:19 2010 : Debug: eap { Tue Apr 27 11:12:19 2010 : Debug: default_eap_type = "tls" Tue Apr 27 11:12:19 2010 : Debug: timer_expire = 60 Tue Apr 27 11:12:19 2010 : Debug: ignore_unknown_eap_types = no Tue Apr 27 11:12:19 2010 : Debug: cisco_accounting_username_bug = no Tue Apr 27 11:12:19 2010 : Debug: max_sessions = 4096 Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to sub-module rlm_eap_md5 Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating eap-md5 Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to sub-module rlm_eap_leap Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating eap-leap Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to sub-module rlm_eap_gtc Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating eap-gtc Tue Apr 27 11:12:19 2010 : Debug: gtc { Tue Apr 27 11:12:19 2010 : Debug: challenge = "Password: " Tue Apr 27 11:12:19 2010 : Debug: auth_type = "PAP" Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to sub-module rlm_eap_tls Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating eap-tls Tue Apr 27 11:12:19 2010 : Debug: tls { Tue Apr 27 11:12:19 2010 : Debug: rsa_key_exchange = no Tue Apr 27 11:12:19 2010 : Debug: dh_key_exchange = yes Tue Apr 27 11:12:19 2010 : Debug: rsa_key_length = 512 Tue Apr 27 11:12:19 2010 : Debug: dh_key_length = 512 Tue Apr 27 11:12:19 2010 : Debug: verify_depth = 0 Tue Apr 27 11:12:19 2010 : Debug: pem_file_type = yes Tue Apr 27 11:12:19 2010 : Debug: private_key_file = "$/etc/freeradius/certs/serverd.pem" Tue Apr 27 11:12:19 2010 : Debug: certificate_file = "$/etc/freeradius/certs/serverd.pem" Tue Apr 27 11:12:19 2010 : Debug: CA_file = "$/etc/freeradius/certs/root.pem" Tue Apr 27 11:12:19 2010 : Debug: private_key_password = "whatever" Tue Apr 27 11:12:19 2010 : Debug: dh_file = "$/etc/freeradius/certs/dh" Tue Apr 27 11:12:19 2010 : Debug: random_file = "$/etc/freeradius/certs/random" Tue Apr 27 11:12:19 2010 : Debug: fragment_size = 1024 Tue Apr 27 11:12:19 2010 : Debug: include_length = yes Tue Apr 27 11:12:19 2010 : Debug: check_crl = yes Tue Apr 27 11:12:19 2010 : Debug: cipher_list = "DEFAULT" Tue Apr 27 11:12:19 2010 : Debug: make_cert_command = "$/etc/root/Workdir/bootstrap" Tue Apr 27 11:12:19 2010 : Debug: cache { Tue Apr 27 11:12:19 2010 : Debug: enable = no Tue Apr 27 11:12:19 2010 : Debug: lifetime = 24 Tue Apr 27 11:12:19 2010 : Debug: max_entries = 255 Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Error: rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory Tue Apr 27 11:12:19 2010 : Error: rlm_eap_tls: Error reading certificate file $/etc/freeradius/certs/serverd.pem Tue Apr 27 11:12:19 2010 : Error: rlm_eap: Failed to initialize type tls Tue Apr 27 11:12:19 2010 : Error: /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap" Tue Apr 27 11:12:19 2010 : Error: /etc/freeradius/sites-enabled/inner-tunnel[223]: Failed to find module "eap". Tue Apr 27 11:12:19 2010 : Error: /etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. serverd:~# Frankly, I don't know what the error means: is that the rlm_eap module was not found (and it's right, it is not present in my system) , if so how can I install it without reinstalling the whole freeradius ? Any Help will be appreciated. Best regards. On Fri, Apr 23, 2010 at 7:21 AM, Alan DeKok <aland@deployingradius.com>wrote:
Johnny R wrote:
* is the cipher login/password which comes from CopSpot(or any captive portal) deciphered before ipcop sends it to freeradius-server? (It's a kind of question which can not be asked here but ... never know)
I have no idea what that means.
* the authentication type set in ipcop is just "radius" (and its ip), so I don't understand why the packet contains CHAP?
<shrug> Go ask the ipcop people.
according to http://deployingradius.com/documents/configuration/active_directory.html, centralizing the authentication in samba will work fine, but I want to do it against ldap. I think, what's wrong here is that I added users by smbldap-useradd, not simply ldapadd (which won't work actually, it says: "invalid credentials") ...
* So how can I force freeradius to use pap
You can't. The NAS (ipcop) determines what to put in the Access-Request, not FreeRADIUS.
You need to put the clear-text password into the database. That's the only thing you can do to FreeRADIUS which will help.
(to be able to authenticate it against ldap) even the passwd/login is tls ciphered (from chilispot)????I m really convinced that that's not possible, even senseless but I have to know why ...
I have no idea what that means.
Finally, once again, I really want to thank the list for your availability, the freeradius dev. team, because this is a success for the open source community. Thanks,
It's what I do...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- |JJohnny RANDRIAMAMPIONONA | | Phone: +212663682554 | | National School of Applied Sciences | | 1818 TANGIER 90000 | |----------------------------------------------------------------|
Johnny R wrote:
Hi all, Problem solved about CopSpot and Freeradius, it works against the user file (not OpenLDAP). Actually, I am wondering if I can do the authentication using eap-tls module. I enabled it and it gave me the following output: ... Tue Apr 27 11:12:19 2010 : Error: rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory Tue Apr 27 11:12:19 2010 : Error: rlm_eap_tls: Error reading certificate file $/etc/freeradius/certs/serverd.pem
So... that file doesn't exist. Maybe you need to create it? And this error occurs only if you edit the default configuration, and break it.
Frankly, I don't know what the error means: is that the rlm_eap module was not found (and it's right, it is not present in my system) , if so how can I install it without reinstalling the whole freeradius ?
You should try reading *all* of the error messages, rather than only the last one or two. The server is telling you what's wrong. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Johnny R