Re: incorrect auth-type
Sallee, Stephen (Jake) wrote:
You will see that the user is found and authenticated by the
ntlm_auth_Cru module, however the user is still rejected bec the
server says no auth-type was configured for the request. Any help is
appreciated.
Yes, because you didn't put the configuration into the right place.
I have the following lines in my users file:
-
DEFAULT Auth-Type := ntlm_auth
Fall-Through = Yes
-
I also have the following in my radius.conf:
Where? The location is important. You can't just put random text
into random places, and expect it to do what you want.
Here is the debug output:
From -Xx. Please use *just* -X', as suggested everywhere.
Following basic instructions is the first step to fixing the problem.
--
rad_recv: Access-Request packet from host 10.2.1.75 port 46841, id=239,
length=51
User-Name = image
User-Password = image
NAS-IP-Address = 10.2.1.75
Tue Jul 27 13:01:03 2010 : Info: +- entering group authorize {...}
Tue Jul 27 13:01:03 2010 : Info: ++[preprocess] returns ok
Tue Jul 27 13:01:03 2010 : Info: ++- entering group ntlm_auth {...}
Hmm... you put the *authentication* configuration into the
*authorization* section.
Why?
See my web page for the *correct* configuration:
http://deployingradius.com/documents/configuration/active_directory.html
And you *deleted* files from the authorize section. This means
that the users file entry you posted above does *nothing*.
PS: I know it is not best practice to specify the default auth-type but
this is a single purpose server and I know what types of requests are
going to come to it, anything other than what I want should be
discarded.
(1) don't butcher the configuration.
(2) Follow the documentation
If you want to use the fail-over configuration for 2 versions of
ntlm_auth, read my web page and follow the instructions. Then, where it
says to list ntlm_auth in the authenticate section, *instead*, put:
Auth-Type ntlm_auth {
group {
ntlm_auth_Cru {
reject = 1
ok = return
}
ntlm_auth_UMHB {
reject = 1
ok = return
}
}
}
That should work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
incorrect auth-type
I am new to FreeRADIUS so please be patient with me. I am scouring the
docs as I write this but so far I have been stumped. Below I have
included the debug output of my server when I send it a authentication
request.
You will see that the user is found and authenticated by the
ntlm_auth_Cru module, however the user is still rejected bec the
server says no auth-type was configured for the request. Any help is
appreciated.
I have the following lines in my users file:
-
DEFAULT Auth-Type := ntlm_auth
Fall-Through = Yes
-
I also have the following in my radius.conf:
--
redundant ntlm_auth {
group {
ntlm_auth_Cru {
reject = 1
ok = return
}
ntlm_auth_UMHB {
reject = 1
ok = return
}
}
}
--
Here is the debug output:
--
rad_recv: Access-Request packet from host 10.2.1.75 port 46841, id=239,
length=51
User-Name = image
User-Password = image
NAS-IP-Address = 10.2.1.75
Tue Jul 27 13:01:03 2010 : Info: +- entering group authorize {...}
Tue Jul 27 13:01:03 2010 : Info: ++[preprocess] returns ok
Tue Jul 27 13:01:03 2010 : Info: ++- entering group ntlm_auth {...}
Tue Jul 27 13:01:03 2010 : Info: +++- entering group {...}
Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru]expand:
--username=%{mschap:User-Name} - --username=image
Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru]expand:
--password=%{User-Password} - --password=image
Tue Jul 27 13:01:03 2010 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Tue Jul 27 13:01:03 2010 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Tue Jul 27 13:01:03 2010 : Debug: Exec-Program: returned: 0
Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru] returns ok
Tue Jul 27 13:01:03 2010 : Info: +++- group returns ok
Tue Jul 27 13:01:03 2010 : Info: ++- group ntlm_auth returns ok
Tue Jul 27 13:01:03 2010 : Info: ++[expiration] returns noop
Tue Jul 27 13:01:03 2010 : Info: ++[logintime] returns noop
GOT CLONE -1208792368 0x9f8ff70
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence SWITCH:
10.2.1.75
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence MAC:
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence USER: image
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair User-Name = image
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair User-Password =
image
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair NAS-IP-Address =
10.2.1.75
Tue Jul 27 13:01:03 2010 : Info: ++[perl] returns ok
Tue Jul 27 13:01:03 2010 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue Jul 27 13:01:03 2010 : Info: Failed to authenticate the user.
Tue Jul 27 13:01:03 2010 : Info: Using Post-Auth-Type Reject
Tue Jul 27 13:01:03 2010 : Info: +- entering group REJECT {...}
Tue Jul 27 13:01:03 2010 : Info: [attr_filter.access_reject]expand:
%{User-Name} - image
Tue Jul 27 13:01:03 2010 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Tue Jul 27 13:01:03 2010 : Info: ++[attr_filter.access_reject] returns
updated
Tue Jul 27 13:01:03 2010 : Info: Delaying reject of request 0 for 1
seconds
Tue Jul 27 13:01:03 2010 : Debug: Going to the next request
Tue Jul 27 13:01:03 2010 : Debug: Waking up in 0.8 seconds.
Tue Jul 27 13:01:04 2010 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 239 to 10.2.1.75 port 46841
Tue Jul 27 13:01:04 2010 : Debug: Waking up in 4.9 seconds.
Tue Jul 27 13:01:09 2010 : Info: Cleaning up request 0 ID 239 with
timestamp +26
Tue Jul 27 13:01:09 2010 : Debug: Ready to process requests.
--
PS: I know it is not best practice to specify the default auth-type but
this is a single purpose server and I know what types of requests are
going to come to it, anything other than what I want should be
discarded.
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
