Freeradius-Users Digest, Vol 63, Issue 97
ping
ping.song at ericsson.com
Wed Jul 28 11:43:51 CEST 2010
I constently get this error:
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
why?
On 07/28/2010 08:07 AM, freeradius-users-request at lists.freeradius.org
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: SV: FR proxy to ACS and NPS with MS CHAP v2 (SagiBarOr)
> 2. RHDS (Natr Brazell)
> 3. RE: Bug #17 (MS-CHAP user names) (Garber, Neal)
> 4. incorrect auth-type (Sallee, Stephen (Jake))
> 5. Re: RHDS (John Dennis)
> 6. coa proxy'ing with a NAC device (Kevin Ehlers)
> 7. Passing variables from inner tunnel (newtownz)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 27 Jul 2010 04:12:16 -0700 (PDT)
> From: SagiBarOr<sagi.bar-or at intel.com>
> Subject: Re: SV: FR proxy to ACS and NPS with MS CHAP v2
> To: freeradius-users at lists.freeradius.org
> Message-ID:<29275298.post at talk.nabble.com>
> Content-Type: text/plain; charset=UTF-8
>
>
> Thank you for the info Jan. The radiusd-x files were included in the zip
> files. Though I guess the other logs were overwhelming.
> I now posted the two log files here.
> The file cn-check_splitauth.log is from the first free radius.
> The file ldap_mschapv2.log is from the second FR server which does the MS
> CHAP v2 portion.
> Note that everything works in this confioguration. No issues. What I like
> the forum to advise, is what might be non std or missing in the MC CHAP v2
> session, which FR overcomes it.
> When I replace the 2nd FR with MS NPS or Cisco NPS the authentication fails,
> looks like because the pwd (hash) does not match.
> Thnks
> Sagi
>
>
>
> Madsen.Jan JMD wrote:
>
>> I think you need to stop the radius process and then start i with radiusd
>> -X
>> This will run freeradius in the window you are starting it in, in debug
>> mode.
>>
>> On a Linux it will look something like this
>> /usr/sbin/freeradius -X (Default Debian install directory)
>>
>> Or in a manually compiled
>> /opt/freeradius-1.1.8/sbin/radiusd -X (My install location)
>>
>> And that output it comes from that is what Phil wants :)
>>
>> Best regards
>> Jan Madsen
>>
>>
>>
>> -----Oprindelig meddelelse-----
>> Fra: freeradius-users-bounces+jmd=kmd.dk at lists.freeradius.org
>> [mailto:freeradius-users-bounces+jmd=kmd.dk at lists.freeradius.org] P? vegne
>> af SagiBarOr
>> Sendt: 15. juli 2010 09:46
>> Til: freeradius-users at lists.freeradius.org
>> Emne: Re: FR proxy to ACS and NPS with MS CHAP v2
>>
>>
>> Thank you for the clarification Phil. I am not sure what "radius -x"
>> means. I
>> posted the two output files I have. Are these the ones? If not, pls
>> elaborate.
>>
>> Note that these are the output files for the two FR servers, for which
>> eveything is just fine. What does not work is when the second server is
>> not
>> FR but NPS or ACS. I hope this data will suffice to identify the issue or
>> at least give good leads.
>>
>>
>>
>>
>>
>> Phil Mayers wrote:
>>
>>> On 07/14/2010 11:17 PM, SagiBarOr wrote:
>>>
>>>> Files posted.
>>>>
>>> No.
>>>
>>> Post the output of "radiusd -X" to the list.
>>>
>>> We don't need anything else; just that.
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>>
>> http://old.nabble.com/file/p29170161/cn-check_splitauth.log
>> cn-check_splitauth.log
>> http://old.nabble.com/file/p29170161/ldap_mschapv2.log ldap_mschapv2.log
>> --
>> View this message in context:
>> http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29170161.html
>> Sent from the FreeRadius - User mailing list archive at Nabble.com.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> __________________________________________________________________________________________
>> KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745
>>
>> KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til
>> Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til
>> ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden
>> Microsoft Gold Certified Partner og Certificeret SAP Hosting Center.
>>
>> www.kmd.dk www.kundenet.kmd.dk www.organisator.dk
>> www.kmdinternational.com
>>
>> Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig
>> besked herom og slette den.
>> If you received this e-mail by mistake, please notify me and delete it.
>> Thank you.
>> __________________________________________________________________________________________
>> KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745
>>
>> KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til
>> Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til
>> ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden
>> Microsoft Gold Certified Partner og Certificeret SAP Hosting Center.
>>
>> www.kmd.dk www.kundenet.kmd.dk www.organisator.dk
>> www.kmdinternational.com
>>
>> Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig
>> besked herom og slette den.
>> If you received this e-mail by mistake, please notify me and delete it.
>> Thank you.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>>
> http://old.nabble.com/file/p29275298/cn-check_splitauth.log
> cn-check_splitauth.log
> http://old.nabble.com/file/p29275298/ldap_mschapv2.log ldap_mschapv2.log
> --
> View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29275298.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 27 Jul 2010 12:59:43 -0400
> From: Natr Brazell<natrbrazell at gmail.com>
> Subject: RHDS
> To: freeradius-users at lists.freeradius.org
> Message-ID:
> <AANLkTimumkhagDih-xi4FhfXQybKgcPsNkxaTeMmHtWp at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Anyone using the Redhat Directory Server (RHDS) or 389-server versions of
> LDAP with their freeradius services? Curious really?
>
> Thanks,
> Nate Brazell
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100727/e4c7bba0/attachment.html>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 27 Jul 2010 13:37:46 -0400
> From: "Garber, Neal"<Neal.Garber at energyeast.com>
> Subject: RE: Bug #17 (MS-CHAP user names)
> To: "'FreeRadius users mailing list'"
> <freeradius-users at lists.freeradius.org>
> Message-ID:
> <3FF48394E621F14F97A9117CF92D138E585EF5FAED at EEROCH1CMS1.Energyeast.net>
>
> Content-Type: text/plain; charset="us-ascii"
>
>
>> I've done some minor editing to the patches, and put them into the
>> code for 2.1.10.
>>
> I just downloaded and installed 2.1.10 on my test server. So far, everything looks good. Thank you Alan.
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 27 Jul 2010 13:13:51 -0500
> From: "Sallee, Stephen (Jake)"<Jake.Sallee at umhb.edu>
> Subject: incorrect auth-type
> To:<freeradius-users at lists.freeradius.org>
> Message-ID:<4E2E6B81A1D0FE4E8E2B01F5FE9A0126109DC9A6 at newman.umhb.edu>
> Content-Type: text/plain; charset="us-ascii"
>
>
> I am new to FreeRADIUS so please be patient with me. I am scouring the
> docs as I write this but so far I have been stumped. Below I have
> included the debug output of my server when I send it a authentication
> request.
>
> You will see that the user is found and authenticated by the
> "ntlm_auth_Cru" module, however the user is still rejected bec the
> server says no auth-type was configured for the request. Any help is
> appreciated.
>
> I have the following lines in my users file:
> -----------------
> DEFAULT Auth-Type := ntlm_auth
> Fall-Through = Yes
> -----------------
>
> I also have the following in my radius.conf:
> ------------------
> redundant ntlm_auth {
> group {
> ntlm_auth_Cru {
> reject = 1
> ok = return
> }
> ntlm_auth_UMHB {
> reject = 1
> ok = return
> }
> }
> }
> ------------------
>
>
> Here is the debug output:
> ------------------
> rad_recv: Access-Request packet from host 10.2.1.75 port 46841, id=239,
> length=51
> User-Name = "image"
> User-Password = "image"
> NAS-IP-Address = 10.2.1.75
> Tue Jul 27 13:01:03 2010 : Info: +- entering group authorize {...}
> Tue Jul 27 13:01:03 2010 : Info: ++[preprocess] returns ok
> Tue Jul 27 13:01:03 2010 : Info: ++- entering group ntlm_auth {...}
> Tue Jul 27 13:01:03 2010 : Info: +++- entering group {...}
> Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru] expand:
> --username=%{mschap:User-Name} -> --username=image
> Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru] expand:
> --password=%{User-Password} -> --password=image
> Tue Jul 27 13:01:03 2010 : Debug: Exec-Program output: NT_STATUS_OK:
> Success (0x0)
> Tue Jul 27 13:01:03 2010 : Debug: Exec-Program-Wait: plaintext:
> NT_STATUS_OK: Success (0x0)
> Tue Jul 27 13:01:03 2010 : Debug: Exec-Program: returned: 0
> Tue Jul 27 13:01:03 2010 : Info: ++++[ntlm_auth_Cru] returns ok
> Tue Jul 27 13:01:03 2010 : Info: +++- group returns ok
> Tue Jul 27 13:01:03 2010 : Info: ++- group ntlm_auth returns ok
> Tue Jul 27 13:01:03 2010 : Info: ++[expiration] returns noop
> Tue Jul 27 13:01:03 2010 : Info: ++[logintime] returns noop
> GOT CLONE -1208792368 0x9f8ff70
> Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence SWITCH:
> 10.2.1.75
> Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence MAC:
> Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence USER: image
> Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair User-Name = image
> Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair User-Password =
> image
> Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair NAS-IP-Address =
> 10.2.1.75
> Tue Jul 27 13:01:03 2010 : Info: ++[perl] returns ok
> Tue Jul 27 13:01:03 2010 : Info: No authenticate method (Auth-Type)
> configuration found for the request: Rejecting the user
> Tue Jul 27 13:01:03 2010 : Info: Failed to authenticate the user.
> Tue Jul 27 13:01:03 2010 : Info: Using Post-Auth-Type Reject
> Tue Jul 27 13:01:03 2010 : Info: +- entering group REJECT {...}
> Tue Jul 27 13:01:03 2010 : Info: [attr_filter.access_reject] expand:
> %{User-Name} -> image
> Tue Jul 27 13:01:03 2010 : Debug: attr_filter: Matched entry DEFAULT at
> line 11
> Tue Jul 27 13:01:03 2010 : Info: ++[attr_filter.access_reject] returns
> updated
> Tue Jul 27 13:01:03 2010 : Info: Delaying reject of request 0 for 1
> seconds
> Tue Jul 27 13:01:03 2010 : Debug: Going to the next request
> Tue Jul 27 13:01:03 2010 : Debug: Waking up in 0.8 seconds.
> Tue Jul 27 13:01:04 2010 : Info: Sending delayed reject for request 0
> Sending Access-Reject of id 239 to 10.2.1.75 port 46841
> Tue Jul 27 13:01:04 2010 : Debug: Waking up in 4.9 seconds.
> Tue Jul 27 13:01:09 2010 : Info: Cleaning up request 0 ID 239 with
> timestamp +26
> Tue Jul 27 13:01:09 2010 : Debug: Ready to process requests.
> ------------------
>
>
> PS: I know it is not best practice to specify the default auth-type but
> this is a single purpose server and I know what types of requests are
> going to come to it, anything other than what I want should be
> discarded.
>
>
>
> Jake Sallee
> Godfather Of Bandwidth
> Network Engineer
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
>
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 27 Jul 2010 14:19:48 -0400
> From: John Dennis<jdennis at redhat.com>
> Subject: Re: RHDS
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID:<4C4F2344.70907 at redhat.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 07/27/2010 12:59 PM, Natr Brazell wrote:
>
>> Anyone using the Redhat Directory Server (RHDS) or 389-server versions
>> of LDAP with their freeradius services? Curious really?
>>
> Yes (but I guess that's obvious given my .sig)
>
> --
> John Dennis<jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 27 Jul 2010 13:34:11 -0700
> From: Kevin Ehlers<kevin at uoregon.edu>
> Subject: coa proxy'ing with a NAC device
> To: freeradius-users at lists.freeradius.org
> Message-ID:<4C4F42C3.4080906 at uoregon.edu>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I'm having a really hard time with proxying or just dealing with
> CoA's. The documentation just isn't working for me.
>
> I can configure the coa server. I can get the originate-coa server up
> too. I can send CoA's to the server, but I can't get it to proxy them
> or re-send them as if it was originating the CoA. I see that they're
> being processed when looking at debug mode. But I just don't know how
> to do anything with them.
>
> This is what I want to do:
> [lots of switches doing dot1x]<->[freeradius]<->[NAC device,
> PacketFence in this case]
>
> I want to be able to send a CoA request from PacketFence (or another
> management server) to freeradius, and have it relay that CoA to a
> specific switch. E.g. I have determined that a user needs to be
> quarantined, so I run a script on the backend, and part of that
> requires having that user re-authenticate and get assigned a
> quarantine vlan. PF determines which switch they're on, sends a CoA
> to FreeRadius, FreeRadius then sends the CoA to the correct switch.
>
> Is there a way to do this without configuring a client entry for every
> edge device? Should I be using the proxy.conf in some way? I'm not
> really clear about how to use the virtual servers in regard to proxying.
>
> Thanks,
>
> --
> Kevin Ehlers
> Network Engineer
> University of Oregon
>
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 27 Jul 2010 17:07:37 -0700 (PDT)
> From: newtownz<jean466 at sympatico.ca>
> Subject: Passing variables from inner tunnel
> To: freeradius-users at lists.freeradius.org
> Message-ID:<29279811.post at talk.nabble.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> Hi,
>
> I'm trying to pass the value of LDAP-UserDn from the inner-tunnel
> to the default server. I have read unlang and also tried many combinations
> including update outer.control from the inner tunnel and nothing worked...
>
> Here is a debug output where we can see that the User-Dn get expanded
> correctly in the tunnel but is empty in the default server.
>
> ++[eap] returns ok
> +- entering group post-auth {...}
> expand: %{control:LDAP-UserDn} -> cn=aruba,ou=etudiant,o=org
> Exec-Program output: etudiant
> Exec-Program-Wait: plaintext: etudiant
> Exec-Program: returned: 0
> ++[reply] returns noop
> ++[outer.control] returns noop
> } # server inner-tunnel
> ....
> ....
> [eap] Freeing handler
> ++[eap] returns ok
> +- entering group post-auth {...}
> ++[exec] returns noop
> expand: %{control:LDAP-UserDn} ->
> PHP Notice: Undefined offset: 0 in /etc/freeradius/scripts/php3 on line 4
> Exec-Program output: dewor
> Exec-Program-Wait: plaintext: dewor
> Exec-Program: returned: 0
>
> Thanks
>
> Jean
> --
> View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29279811.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 63, Issue 97
> ************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100728/b8ba90f0/attachment.html>
More information about the Freeradius-Users
mailing list