ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Alan Buxey
alan.buxey at gmail.com
Mon Sep 25 16:22:48 CEST 2017
need more of the debug output. its likely that you havent enabled
require authentication type in the outer (default tunnel)
alan
On 25 September 2017 at 15:13, Adam Cage <adamcage27 at gmail.com> wrote:
> People, I have working OK a Freeradius with AD Authentication and LDAP
> Authorization. Everything is OK when I use my service to authenticate users
> for the WiFi service.
>
> But now I want to add a Cisco Firepower IPS authentication, and I fail. The
> Cisco Firepower IPS has a Radius configuration interface where I fill out
> all the basic necessary data: Radius IP and port, Secret and Default User
> Role.
>
> In the Freeradius server, I have edited
> /etc/freeradius/sites-available/defaullt and inner-tunnel files, adding a
> clause similar to the current ones, as follow (the unique condition is the
> user belongs to IPS LDAP group):
>
> if .....
> .......
> elsif (LDAP-Group == "IPS") {
> update reply {
> Reply-Message = "Hello %{User-Name}: Access enabled
> to Firepower"
> }
> ok
> }
> else {
> reject
> }
>
> and the Freeradius debug output is this:
>
> rlm_ldap::ldap_groupcmp: User found in group WiFi-Corp
> [ldap] ldap_release_conn: Release Id: 0
> ? Evaluating (LDAP-Group == "IPS") -> TRUE
> ++? elsif (LDAP-Group == "IPS") -> TRUE
> ++elsif (LDAP-Group == "IPS") {
> +++update reply {
> expand: Hello %{User-Name}: Access enabled to Firepower -> Hello
> adam: Access enabled to Firepower
> +++} # update reply = noop
> +++[ok] = ok
> ++} # elsif (LDAP-Group == "IPS") = ok
> ++ ... skipping else for request 203: Preceding "if" was taken
> +} # group authorize = ok
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
> the user
> Failed to authenticate the user.
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group REJECT {
> [attr_filter.access_reject] expand: %{User-Name} -> adam
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 203 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 203
> Sending Access-Reject of id 147 to 172.20.1.1 port 52154
> Reply-Message = "Hello adam: Access enabled to Firepower"
>
>
> Please can you help me???
>
> Special thanks :)
>
> ADAM
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list