Freeradius + Openldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user

Felix picture Felix · Mar 19, 2015 · Viewed 16.9k times · Source

after a couple of days searching in google I have to resign and ask :/

We're using a debian server with openldap and radius installed. When I connect to the radius using radtest everything is fine, but when I use an accesspoint (and the connection goes through the tunnel) I get the folloing result. The inner-tunnel looks like this:

authorize {
        update control {
               Proxy-To-Realm := LOCAL
        }


        eap {
                ok = return
    }

        files


        ldap {
                ok = return
        }


        expiration
        logintime

        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }


        Auth-Type CHAP {
                chap
        }

        #
        #  MSCHAP authentication.
        Auth-Type MS-CHAP {
                mschap
    }
        unix

        eap

}




    [eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 134
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 172 to 192.168.2.110 port 33954
        EAP-Message = 0x0113004515800000003b14030100010116030100307485d545d269c20cba37d5a8e3f3dda1d7b0d7909407079307a1977c0d4a2a5960f66bd0a04ca5abe9493a46744ba417
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x37c6679131d5723a9d1ac717c8b684a5
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.2.110 port 33954, id=244, length=430
        Acct-Session-Id = "f9dbf293-00000006"
        NAS-Port = 7
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "CN35D335T4"
        NAS-IP-Address = 192.168.2.110
        Framed-MTU = 1496
        User-Name = "cwalonka"
        Calling-Station-Id = "88-63-DF-16-A1-C8"
        Called-Station-Id = "2C-44-FD-3C-E6-D1"
        Service-Type = Framed-User
        EAP-Message = 0x0213009f1580000000951703010090d5e4e84e029bbae0b1439267d5aafc0d726c399d77cba2eafa00c2a4b017bc8534ce405e39415114d39c5c1ef019a6230fb218df0fb61140d9d9be0a1d4b9b860fe559bd90083a5b618b2643300fa5da12094d111e77dabdcbfe5f7312675206636f235a111e0b6f9ca670cf825e8a6813a8693187457432e4dae68c5be7704a7f5c716bce9c75b96179b583744b0d28
        State = 0x37c6679131d5723a9d1ac717c8b684a5
        Colubris-AVPair = "ssid=Radius"
        Colubris-AVPair = "group=Default Group"
        Colubris-AVPair = "vsc-unique-id=2"
        Colubris-AVPair = "phytype=IEEE802dot11 "
        Colubris-Attr-250 = 0x00000000
        Colubris-Attr-249 = 0x00000000
        Message-Authenticator = 0x8a74e1eca7f77b377dacbdf3ec8c1a24
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 19 length 159
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 149
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
        User-Name = "cwalonka"
        MS-CHAP-Challenge = 0xe1db13f5d45cce97c79199bd3790b982
        MS-CHAP2-Response = 0xdd00848963a64af42b41addc23a3202156b00000000000000000403cd5a0ad7604a4b22c4b9c54e7912e23850b2878155faf
        FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
        User-Name = "cwalonka"
        MS-CHAP-Challenge = 0xe1db13f5d45cce97c79199bd3790b982
        MS-CHAP2-Response = 0xdd00848963a64af42b41addc23a3202156b00000000000000000403cd5a0ad7604a4b22c4b9c54e7912e23850b2878155faf
        FreeRADIUS-Proxied-To = 127.0.0.1
        Acct-Session-Id = "f9dbf293-00000006"
        NAS-Port = 7
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "CN35D335T4"
        NAS-IP-Address = 192.168.2.110
        Framed-MTU = 1496
        Calling-Station-Id = "88-63-DF-16-A1-C8"
        Called-Station-Id = "2C-44-FD-3C-E6-D1"
        Service-Type = Framed-User
        Colubris-AVPair = "ssid=Radius"
        Colubris-AVPair = "group=Default Group"
        Colubris-AVPair = "vsc-unique-id=2"
        Colubris-AVPair = "phytype=IEEE802dot11 "
        Colubris-Attr-250 = 0x00000000
        Colubris-Attr-249 = 0x00000000
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for cwalonka
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> cwalonka
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=cwalonka)
[ldap]  expand: dc=it-economics,dc=de -> dc=it-economics,dc=de
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=it-economics,dc=de, with filter (uid=cwalonka)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{SSHA}ylX1rj9cfubaHAFc6XeV1Ne+tBFX36VA"
[ldap] looking for reply items in directory...
[ldap] user cwalonka authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.

Thanks for your help

Answer

Carlos Montes Llanos picture Carlos Montes Llanos · Oct 18, 2018

I realized that it is not necessary put pap configuration when you can authenticate to ldap server. Official documentation says that when you have "passwords" you need pap, but it is not neccesary.

This is my setup in file /etc/raddb/sites-available/default , tested and running from a freeradius 3 connecting to redhat directory 10 (ldap)

server default {
    listen {
        type = auth
        ipaddr = *
        port = 0
        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
    }
    listen {
        ipaddr = *
        port = 0
        type = acct
        limit {
        }
    }
    authorize {
         if (!control:Auth-Type) {
                ldap

                if (ok && User-Password) {
                        update {
                        control:Auth-Type := LDAP
                        }
                }
        }
        expiration
        logintime
    }
    authenticate {
        Auth-Type LDAP {
               ldap
        }
    }
    preacct {
        preprocess
        acct_unique
    }
    accounting {
        detail
        unix
        radutmp
        exec
        attr_filter.accounting_response
    }
    session {
        radutmp
    }
    post-auth {
        exec
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
    } 
    pre-proxy {
    }
    post-proxy {
        eap
    }
}