Re: incorrect auth-type
Sallee, Stephen (Jake) wrote: You will see that the user is found and authenticated by the ntlm_auth_Cru module, however the user is still rejected bec the server says no auth-type was configured for the request. Any help is appreciated. Yes, because you didn't put the configuration into the right place. I have the following lines in my users file: - DEFAULT Auth-Type := ntlm_auth Fall-Through = Yes - I also have the following in my radius.conf: Where? The location is important. You can't just put random text into random places, and expect it to do what you want. Here is the debug output: From -Xx. Please use *just* -X', as suggested everywhere. Following basic instructions is the first step to fixing the problem. -- rad_recv: Access-Request packet from host 10.2.1.75 port 46841, id=239, length=51 User-Name = image User-Password = image NAS-IP-Address = 10.2.1.75 Tue Jul 27 13:01:03 2010 : Info: +- entering group authorize {...} Tue Jul 27 13:01:03 2010 : Info: ++[preprocess] returns ok Tue Jul 27 13:01:03 2010 : Info: ++- entering group ntlm_auth {...} Hmm... you put the *authentication* configuration into the *authorization* section. Why? See my web page for the *correct* configuration: http://deployingradius.com/documents/configuration/active_directory.html And you *deleted* files from the authorize section. This means that the users file entry you posted above does *nothing*. PS: I know it is not best practice to specify the default auth-type but this is a single purpose server and I know what types of requests are going to come to it, anything other than what I want should be discarded. (1) don't butcher the configuration. (2) Follow the documentation If you want to use the fail-over configuration for 2 versions of ntlm_auth, read my web page and follow the instructions. Then, where it says to list ntlm_auth in the authenticate section, *instead*, put: Auth-Type ntlm_auth { group { ntlm_auth_Cru { reject = 1 ok = return } ntlm_auth_UMHB { reject = 1 ok = return } } } That should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
incorrect auth-type
I am new to FreeRADIUS so please be patient with me. I am scouring the docs as I write this but so far I have been stumped. Below I have included the debug output of my server when I send it a authentication request. You will see that the user is found and authenticated by the ntlm_auth_Cru module, however the user is still rejected bec the server says no auth-type was configured for the request. Any help is appreciated. I have the following lines in my users file: - DEFAULT Auth-Type := ntlm_auth Fall-Through = Yes - I also have the following in my radius.conf: -- redundant ntlm_auth { group { ntlm_auth_Cru { reject = 1 ok = return } ntlm_auth_UMHB { reject = 1 ok = return } } } -- Here is the debug output: -- rad_recv: Access-Request packet from host 10.2.1.75 port 46841, id=239, length=51 User-Name = image User-Password = image NAS-IP-Address = 10.2.1.75 Tue Jul 27 13:01:03 2010 : Info: +- entering group authorize {...} Tue Jul 27 13:01:03 2010 : Info: ++[preprocess] returns ok Tue Jul 27 13:01:03 2010 : Info: ++- entering group ntlm_auth {...} Tue Jul 27 13:01:03 2010 : Info: +++- entering group {...} Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru]expand: --username=%{mschap:User-Name} - --username=image Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru]expand: --password=%{User-Password} - --password=image Tue Jul 27 13:01:03 2010 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Tue Jul 27 13:01:03 2010 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Tue Jul 27 13:01:03 2010 : Debug: Exec-Program: returned: 0 Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru] returns ok Tue Jul 27 13:01:03 2010 : Info: +++- group returns ok Tue Jul 27 13:01:03 2010 : Info: ++- group ntlm_auth returns ok Tue Jul 27 13:01:03 2010 : Info: ++[expiration] returns noop Tue Jul 27 13:01:03 2010 : Info: ++[logintime] returns noop GOT CLONE -1208792368 0x9f8ff70 Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence SWITCH: 10.2.1.75 Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence MAC: Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence USER: image Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair User-Name = image Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair User-Password = image Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair NAS-IP-Address = 10.2.1.75 Tue Jul 27 13:01:03 2010 : Info: ++[perl] returns ok Tue Jul 27 13:01:03 2010 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Tue Jul 27 13:01:03 2010 : Info: Failed to authenticate the user. Tue Jul 27 13:01:03 2010 : Info: Using Post-Auth-Type Reject Tue Jul 27 13:01:03 2010 : Info: +- entering group REJECT {...} Tue Jul 27 13:01:03 2010 : Info: [attr_filter.access_reject]expand: %{User-Name} - image Tue Jul 27 13:01:03 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11 Tue Jul 27 13:01:03 2010 : Info: ++[attr_filter.access_reject] returns updated Tue Jul 27 13:01:03 2010 : Info: Delaying reject of request 0 for 1 seconds Tue Jul 27 13:01:03 2010 : Debug: Going to the next request Tue Jul 27 13:01:03 2010 : Debug: Waking up in 0.8 seconds. Tue Jul 27 13:01:04 2010 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 239 to 10.2.1.75 port 46841 Tue Jul 27 13:01:04 2010 : Debug: Waking up in 4.9 seconds. Tue Jul 27 13:01:09 2010 : Info: Cleaning up request 0 ID 239 with timestamp +26 Tue Jul 27 13:01:09 2010 : Debug: Ready to process requests. -- PS: I know it is not best practice to specify the default auth-type but this is a single purpose server and I know what types of requests are going to come to it, anything other than what I want should be discarded. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html