incorrect auth-type

Alan DeKok aland at deployingradius.com
Wed Jul 28 14:37:00 CEST 2010 

Sallee, Stephen (Jake) wrote:
> You will see that the user is found and authenticated by the
> "ntlm_auth_Cru" module, however the user is still rejected bec the
> server says no auth-type was configured for the request.  Any help is
> appreciated.

  Yes, because you didn't put the configuration into the right place.

> I have the following lines in my users file:
> -----------------
> DEFAULT         Auth-Type := ntlm_auth
>         Fall-Through = Yes
> -----------------
> 
> I also have the following in my radius.conf:

  Where?  The location is important.  You can't just put random text
into random places, and expect it to do what you want.

> Here is the debug output:

  From "-Xx".  Please use *just* "-X', as suggested everywhere.
Following basic instructions is the first step to fixing the problem.

> ------------------
> rad_recv: Access-Request packet from host 10.2.1.75 port 46841, id=239,
> length=51
>         User-Name = "image"
>         User-Password = "image"
>         NAS-IP-Address = 10.2.1.75
> Tue Jul 27 13:01:03 2010 : Info: +- entering group authorize {...}
> Tue Jul 27 13:01:03 2010 : Info: ++[preprocess] returns ok
> Tue Jul 27 13:01:03 2010 : Info: ++- entering group ntlm_auth {...}

  Hmm... you put the *authentication* configuration into the
*authorization* section.

  Why?

  See my web page for the *correct* configuration:

http://deployingradius.com/documents/configuration/active_directory.html

  And you *deleted* "files" from the "authorize" section.  This means
that the "users" file entry you posted above does *nothing*.

> PS: I know it is not best practice to specify the default auth-type but
> this is a single purpose server and I know what types of requests are
> going to come to it, anything other than what I want should be
> discarded.

  (1) don't butcher the configuration.
  (2) Follow the documentation

  If you want to use the fail-over configuration for 2 versions of
ntlm_auth, read my web page and follow the instructions.  Then, where it
says to list "ntlm_auth" in the "authenticate" section, *instead*, put:

	Auth-Type ntlm_auth {
                group {
                        ntlm_auth_Cru {
                        reject = 1
                        ok = return
                        }
                        ntlm_auth_UMHB {
                        reject = 1
                        ok = return
                        }
                }
	}

  That should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list