ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user

Adam Cage adamcage27 at gmail.com
Mon Sep 25 18:01:40 CEST 2017


Dear, thanks to both of you.

For WiFi service, I authenticate the users against te AD following Alan
Dekok's tutorial...that works OK. And also I authorize the users against
LDAP (from AD), enabling ldap line in default and inner-tunnel files and
evaluating if users belong or not to given certain groups using the
 Ldap-Groups attribute...that works OK too.

Now I have an IPS device, with 3 users that have to manage it and they
belong to a LDAP group that is used in the WiFi service, so I think the
police is the same. In this case I want to authenticate any of these 3
users, and authorize them evaluating if they belong to the IPS group. I
think the authentication method is the same as I'm using right now for WiFi
service (defined for AD as described in Alan Dekok's tutorial).

Please, should I add more details or can you hel me???

Regards!

ADAM



2017-09-25 11:23 GMT-03:00 Alan DeKok <aland at deployingradius.com>:

> On Sep 25, 2017, at 10:13 AM, Adam Cage <adamcage27 at gmail.com> wrote:
> >
> > People, I have working OK a Freeradius with AD Authentication and LDAP
> > Authorization. Everything is OK when I use my service to authenticate
> users
> > for the WiFi service.
>
>   That's good.
>
> > But now I want to add a Cisco Firepower IPS authentication, and I fail.
> The
> > Cisco Firepower IPS has a Radius configuration interface where I fill out
> > all the basic necessary data: Radius IP and port, Secret and Default User
> > Role.
>
>   If the policies are very different from WiFi, you might want to user a
> different virtual server.  See raddb/sites-available/README
>
> > In the Freeradius server, I have edited
> > /etc/freeradius/sites-available/defaullt and inner-tunnel files, adding
> a
> > clause similar to the current ones, as follow (the unique condition is
> the
> > user belongs to IPS LDAP group):
> >
> > if .....
> > .......
> > elsif (LDAP-Group == "IPS") {
> >                        update reply {
> >                        Reply-Message = "Hello %{User-Name}: Access
> enabled
> > to Firepower"
> >                        }
> >                        ok
> >                }
> > else {
> >                reject
> >        }
> >
> > and the Freeradius debug output is this:
>
>    OK...
>
> > rlm_ldap::ldap_groupcmp: User found in group WiFi-Corp
> >  [ldap] ldap_release_conn: Release Id: 0
> > ? Evaluating (LDAP-Group == "IPS") -> TRUE
> > ++? elsif (LDAP-Group == "IPS") -> TRUE
> > ++elsif (LDAP-Group == "IPS") {
> > +++update reply {
> >        expand: Hello %{User-Name}: Access enabled to Firepower -> Hello
> > adam: Access enabled to Firepower
> > +++} # update reply = noop
> > +++[ok] = ok
> > ++} # elsif (LDAP-Group == "IPS") = ok
> > ++ ... skipping else for request 203: Preceding "if" was taken
> > +} # group authorize = ok
> > ERROR: No authenticate method (Auth-Type) found for the request:
> Rejecting
> > the user
> > Failed to authenticate the user.
>
>   Well that's clear.
>
> > Please can you help me???
>
>   Do you want to authenticate those users?  If so, how? LDAP?  Where are
> their accounts stored?
>
>   Right now, you're not authenticating them at all.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list