ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user

Adam Cage adamcage27 at gmail.com
Thu Sep 28 17:07:29 CEST 2017 

Dear Alan, I've followed your advice and it works OK, but not in the way I
want:

- Virtual server defined in /etc/freeradius/sites-available/ips

- This virtual server file has the following authentication section:

authenticate {
        ntlm_auth
...
}

- When I try to login the user, I get the error:

ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.

But if I edit /etc/freeradius/users file adding at top (and maintaining the
ntlm_auth line in the virtual server file):

DEFAULT     Auth-Type = ntlm_auth

now the users can authenticate and login OK !!!

Please can you tell me why the first configuration doesn't work ??? Do I
have to use the "DEFAULT     Auth-Type = ntlm_auth" in order to put to work
the authentication ??? Take into account I've followed your "Authentication
with Active Directory" tutorial.

Thanks a lot,

ADAM

2017-09-25 13:10 GMT-03:00 Alan DeKok <aland at deployingradius.com>:

> On Sep 25, 2017, at 12:01 PM, Adam Cage <adamcage27 at gmail.com> wrote:
> > For WiFi service, I authenticate the users against te AD following Alan
> > Dekok's tutorial...that works OK. And also I authorize the users against
> > LDAP (from AD), enabling ldap line in default and inner-tunnel files and
> > evaluating if users belong or not to given certain groups using the
> > Ldap-Groups attribute...that works OK too.
>
>   That's good, but you already said that.  Please focus on fixing the
> problem, not describing things that already work.
>
> > Now I have an IPS device, with 3 users that have to manage it and they
> > belong to a LDAP group that is used in the WiFi service, so I think the
> > police is the same.
>
>   You "think"?  Are these people doing WiFi authentication when the log
> into the IPS device?
>
> > In this case I want to authenticate any of these 3
> > users, and authorize them evaluating if they belong to the IPS group. I
> > think the authentication method is the same as I'm using right now for
> WiFi
> > service (defined for AD as described in Alan Dekok's tutorial).
>
>   While they might still authenticate to AD, the policies are rather
> different.
>
> > Please, should I add more details or can you hel me???
>
>   read raddb/sites-available/README
>
>   You will want create a *new* virtual server, specifically for the IPS
> rules.
>
>   Copy the "default" virtual server.  Change the name to "server ips {
> ...}".  Delete all references to EAP.  Set up the IPS client in
> clients.conf with "virtual_server = ips"
>
>   The problem is that you don't know what the differences are between WiFi
> auth and the authentication used by the IPS server.  You can run the server
> in debug mode, and READ THE OUTPUT to see the differences.  They're not the
> same.
>
>   You can also read the documentation I suggested that you read.
>
>   Or, you can keep trying random things, and never get the problem solved.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>

More information about the Freeradius-Users mailing list