falling back to local auth and not ads
Morris, Andi
amorris at cardiffmet.ac.uk
Fri Apr 27 11:26:33 CEST 2012
Just to clear this up, with the help of the people on the here and the PacketFence list the problem has now been resolved.
There was a file called mschap.bkp in /etc/raddb/modules/ which once removed the requests went through as expected.
The entry to allow all non-eap requests through in the users file is necessary for the purpose of the package so that devices authenticating using Mac-Authentication, or similar are allowed through.
Cheers for the help everyone,
Andi
-----Original Message-----
From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of Morris, Andi
Sent: 24 April 2012 14:03
To: FreeRadius users mailing list
Subject: RE: falling back to local auth and not ads
Thanks Alan,
I've looked further into the documentation of the pre-build package, and as far as I can tell that entry is required, so that non-EAP requests still get accepted, but the device gets put into the captive-portal. I will seek further clarification on this through them directly.
Thanks for your help,
Andi
-----Original Message-----
From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of alan buxey
Sent: 24 April 2012 13:39
To: FreeRadius users mailing list
Subject: Re: falling back to local auth and not ads
Hi,
> I have been through the steps again and found that final radtest shows an access-reject and the debug shows:
> ERROR: No authenticate method (Auth-Type) found for the request:
> Rejecting the user Failed to authenticate the user.
this is still with this prebuilt package? I would say theres all kinds of things wrong with that package and you'd be best off working with just a fresh copy of FreeRADIUS built direct from source.... for one thing, it works straight out of the box once you've added a source of authentication (ie added an entry in users file or configured the ntlm_auth)
ERROR: No authenticate method (Auth-Type) means that you dont have the required handler present to deal with the request. it worked before as you had a HUGE bodge in the users file saying that if the request wasnt EAP then just accept...no matter what! :-|
you CANNOT (thankfully!) just blindly accept all EAP - there has to be a 2-way communication of trust and the setting up of crypto keys etc. to work with EAP and MSCHAP without EAP you will need to ensure the required modules are enabled and configured...so you're looking at eg mschap module and ntlm_auth module.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list