Auth-Type LDAP and "WARNING: Unknown value specified for Auth-Type. Cannot perform requested action"

José Ignacio Siles Rueda jisiles at ingenia.es
Thu Jun 25 17:50:20 CEST 2015 

Hi,

I'm well aware about not setting Auth-Type and let freeradius choose properly auth method, but I need LDAP authentication, and IT staff of LDAP server is very hostile to give freeradius userPassword info. So, my only choice is binding user to LDAP, and pray for the best...

AFAIK, if I can't get proper userPassword (stored in SHA1 in LDAP), I'll never reach PAP module, and my only way out is using LDAP binding in authorize and authenticate sections of inner-tunnel.

I'm using 2.1.12 version, and my inner-tunnel is as follows:

server inner-tunnel {

authorize {
     suffix
     eap {
          ok = return
     }
     switch "%{Realm}" {
               case "alumno.upo.es" {
                    LDAP_estudiantes
               }
               case "upo.es" {
                    LDAP_docentes
               }
     }
}
 authenticate {
    eap
    Auth-Type LDAP_estudiantes {
          LDAP_estudiantes
    }
    Auth-Type LDAP_docentes {
          LDAP_docentes
    }
    Auth-Type PAP {
          pap
     }

}
session {
     radutmp
}
post-auth {
     reply_log
     Post-Auth-Type REJECT {
          attr_filter.access_reject
     }
     update outer.reply {
          User-Name = "%{request:User-Name}"
     }
}

And modules/ldap is as follows:

ldap LDAP_estudiantes {
      server = "ldap.XXX.XX"
     basedn = "o=XXX, c=XX"
     filter = (&(|(uid=%{User-Name})(mail=%{Stripped-User-Name}@alumno.XX.XX)(mailAlternateAddress=%{Stripped-User-Name}@alumno.XX.XX))<mailto:mail=%25%7bStripped-User-Name%7d at alumno.XX.XX)(mailAlternateAddress=%25%7bStripped-User-Name%7d at alumno.XX.XX))> (IrisUserEntitlement=urn:mace:XXX.XX:XX.XX:entitlement:ServiciosRed:wifi:estudiantes)
     base_filter = "(objectclass=irisperson)"
     groupname_attribute = "IrisUserEntitlement"
     groupmembership_attribute = "IrisUserEntitlement"
      ldap_connections_number = 100
      timeout = 4
      timelimit = 3
      net_timeout = 1
      tls {
           start_tls = no
          cacertfile=/etc/raddb/certs/SCSChain.XX.XX
      }
      dictionary_mapping = ${confdir}/ldap.attrmap
      edir_account_policy_check = no
}
ldap LDAP_docentes {
      server = "ldap.XXX.XX"
     basedn = "o=XXX, c=XX"
     filter = (&(|(uid=%{User-Name})(mail=%{Stripped-User-Name}@XX.XX)(mailAlternateAddress=%{Stripped-User-Name}@XX.XX))<mailto:mail=%25%7bStripped-User-Name%7d at XX.XX)(mailAlternateAddress=%25%7bStripped-User-Name%7d at XX.XX))> (IrisUserEntitlement=urn:mace:XXX.XX:XX.XX:entitlement:ServiciosRed:wifi:Docentes)
     base_filter = "(objectclass=irisperson)"
     groupname_attribute = "IrisUserEntitlement"
     groupmembership_attribute = "IrisUserEntitlement"
      ldap_connections_number = 100
      timeout = 4
      timelimit = 3
      net_timeout = 1
     tls {
           start_tls = no
          cacertfile=/etc/raddb/certs/SCSChain.XX.XX
      }
      dictionary_mapping = ${confdir}/ldap.attrmap
      edir_account_policy_check = no
}

And, if I try one user with "alumno.XX.XX" realm, I'm getting:

[ttls] Got tunneled request
        User-Name = "uwifialumno at alumno.XX.XX<mailto:uwifialumno at alumno.XX.XX>"
        User-Password = "XXXX"
        FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
        User-Name = "uwifialumno at alumno.XX.XX<mailto:uwifialumno at alumno.XX.XX>"
        User-Password = "XXXXX"
        FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
[suffix] Looking up realm "alumno.XXX.XX" for User-Name = "uwifialumno at alumno.XXX.XX<mailto:uwifialumno at alumno.XXX.XX>"
[suffix] Found realm "alumno.XXX.XX"
[suffix] Adding Stripped-User-Name = "uwifialumno"
[suffix] Adding Realm = "alumno.XXX.XX"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
       expand: %{Realm} -> alumno.XXX.XX
++- entering switch %{Realm} {...}
+++- entering case alumno.XXX.XX {...}
[LDAP_estudiantes] performing user authorization for uwifialumno
[LDAP_estudiantes]      expand: (&(|(uid=%{User-Name})(mail=%{Stripped-User-Name}@alumno.XXX.XX)(mailAlternateAddress=%{Stripped-User-Name}@alumno.XXX.XX))(IrisUserEntitlement=urn:mace:XXX.XX:XXX.XX:entitlement:ServiciosRed:wifi:estudiantes))<mailto:mail=%25%7bStripped-User-Name%7d at alumno.XXX.XX)(mailAlternateAddress=%25%7bStripped-User-Name%7d at alumno.XXX.XX))(IrisUserEntitlement=urn:mace:XXX.XX:XXX.XX:entitlement:ServiciosRed:wifi:estudiantes))> -> (&(|(uid=uwifialumno at alumno.XXX.XX)(mail=uwifialumno at alumno.XXX.XX)(mailAlternateAddress=uwifialumno at alumno.XXX.XX))(IrisUserEntitlement=urn:mace:XXX.XX:XXX.XX:entitlement:ServiciosRed:wifi:estudiantes))<mailto:uid=uwifialumno at alumno.XXX.XX)(mail=uwifialumno at alumno.XXX.XX)(mailAlternateAddress=uwifialumno at alumno.XXX.XX))(IrisUserEntitlement=urn:mace:XXX.XX:XXX.XX:entitlement:ServiciosRed:wifi:estudiantes))>
[LDAP_estudiantes]      expand: o=XXXXXX, c=XX -> o=XXXXX, c=XX
  [LDAP_estudiantes] ldap_get_conn: Checking Id: 0
  [LDAP_estudiantes] ldap_get_conn: Got Id: 0
  [LDAP_estudiantes] performing search in o=XXXXX, c=XX, with filter (&(|(uid=uwifialumno at alumno.XXX.XX)(mail=uwifialumno at alumno.XXX.XX)(mailAlternateAddress=uwifialumno at alumno.XXXX.XX))(IrisUserEntitlement=urn:mace:XXX.XX:XXX.XX:entitlement:ServiciosRed:wifi:estudiantes))<mailto:uid=uwifialumno at alumno.XXX.XX)(mail=uwifialumno at alumno.XXX.XX)(mailAlternateAddress=uwifialumno at alumno.XXXX.XX))(IrisUserEntitlement=urn:mace:XXX.XX:XXX.XX:entitlement:ServiciosRed:wifi:estudiantes))>
[LDAP_estudiantes] looking for check items in directory...
[LDAP_estudiantes] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[LDAP_estudiantes] Setting Auth-Type = LDAP_estudiantes
[LDAP_estudiantes] user uwifialumno authorized to use remote access
  [LDAP_estudiantes] ldap_release_conn: Release Id: 0
++++[LDAP_estudiantes] returns ok
+++- case alumno.upo.es returns ok
++- switch %{Realm} returns ok
Found Auth-Type = LDAP_estudiantes
  WARNING: Unknown value specified for Auth-Type.  Cannot perform requested action.
Failed to authenticate the user.
Login incorrect: [uwifialumno] (from client RedAPs-oviwan port 0 via TLS tunnel)
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.

Why am I getting "Unknown value specified for Auth-Type", if I define:

Auth-Type LDAP_estudiantes {
          LDAP_estudiantes
    }

In my inner-tunnel config file?

Thanks in advance,

Ignacio Siles
Jefe de Proyecto- Infraestructuras / Sol. y Prod. Wireless
Dirección de Servicios y Soluciones I.T.

Teléfono:              +34 672.283.836
Skype                    jisiles.ingenia
C/Severo Ochoa, 43 Parque Tecnológico de Andalucía
29590. Málaga
Tel: +34 952029300 | Fax: +34 952029309
www.ingenia.es<http://www.ingenia.es>

More information about the Freeradius-Users mailing list