Help PLease
Adam Schappell
aschappell at clearedgeit.com
Thu Mar 26 18:14:51 CET 2015
I dont think I understand what you mean by empty it out? Here is my config
it sites-enabled/inner-tunnel
authorize {
pap
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module, above.
#
# unix
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
# Note that proxying the inner tunnel authentication means
# that the user MAY use one identity in the outer session
# (e.g. "anonymous", and a different one here
# (e.g. "user at example.com"). The inner session will then be
# proxied elsewhere for authentication. If you are not
# careful, this means that the user can cause you to forward
# the authentication to another RADIUS server, and have the
# accounting logs *not* sent to the other server. This makes
# it difficult to bill people for their network activity.
#
suffix
# ntdomain
#
# The "suffix" module takes care of stripping the domain
# (e.g. "@example.com") from the User-Name attribute, and the
# next few lines ensure that the request is not proxied.
#
# If you want the inner tunnel request to be proxied, delete
# the next few lines.
#
update control {
Proxy-To-Realm := LOCAL
}
#
# This module takes care of EAP-MSCHAPv2 authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}
#
# Read the 'users' file
files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
expiration
logintime
#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap
}
Adam Schappell
System Administrator II
Clearedge IT Solutions, LLC
10620 Guilford Road
Jessup, MD 20794
Office:443-212-4712
Fax:443-212-4809
www.ClearEdgeIT.com <http://www.clearedgeit.com/>
On Thu, Mar 26, 2015 at 12:58 PM, Matthew Newton <mcn4 at leicester.ac.uk>
wrote:
> On Thu, Mar 26, 2015 at 12:51:06PM -0400, Adam Schappell wrote:
> > Ok I figured all that out, supposivly does not like the AP's connecting
> to
> > different subnets which is not going to go over well with my DMZ. But
> now I
> > am getting reject error when authenticating to wifi. Here is debug
> output.
> >
> > [peap] Got inner identity 'CORP\aschappell'
> > [peap] Setting default EAP type for tunneled EAP session.
> > [peap] Got tunneled request
> > EAP-Message = 0x0217001401434f52505c61736368617070656c6c
> > server {
> > [peap] Setting User-Name to CORP\aschappell
> > Sending tunneled request
> > EAP-Message = 0x0217001401434f52505c61736368617070656c6c
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = "CORP\\aschappell"
> > server inner-tunnel {
> > WARNING: Empty authorize section. Using default return values.
>
> ^^^^^^^^^^^^^^
>
> Did you empty out the authorize {} section in
> sites-enabled/inner-tunnel?
>
> Is the inner-tunnel virtual server actually there (symlink in
> sites-enabled pointing back to sites-available)?
>
> Matthew
>
>
> > ERROR: No authenticate method (Auth-Type) found for the request:
> Rejecting
> > the user
> > Failed to authenticate the user.
> > Login incorrect: [CORP\\aschappell] (from client ClearEdge port 0 via TLS
> > tunnel)
> > } # server inner-tunnel
> >
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
>
More information about the Freeradius-Users
mailing list