问题
after a couple of days searching in google I have to resign and ask :/
We're using a debian server with openldap and radius installed. When I connect to the radius using radtest everything is fine, but when I use an accesspoint (and the connection goes through the tunnel) I get the folloing result. The inner-tunnel looks like this:
authorize {
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 134
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 172 to 192.168.2.110 port 33954
EAP-Message = 0x0113004515800000003b14030100010116030100307485d545d269c20cba37d5a8e3f3dda1d7b0d7909407079307a1977c0d4a2a5960f66bd0a04ca5abe9493a46744ba417
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x37c6679131d5723a9d1ac717c8b684a5
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.2.110 port 33954, id=244, length=430
Acct-Session-Id = "f9dbf293-00000006"
NAS-Port = 7
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN35D335T4"
NAS-IP-Address = 192.168.2.110
Framed-MTU = 1496
User-Name = "cwalonka"
Calling-Station-Id = "88-63-DF-16-A1-C8"
Called-Station-Id = "2C-44-FD-3C-E6-D1"
Service-Type = Framed-User
EAP-Message = 0x0213009f1580000000951703010090d5e4e84e029bbae0b1439267d5aafc0d726c399d77cba2eafa00c2a4b017bc8534ce405e39415114d39c5c1ef019a6230fb218df0fb61140d9d9be0a1d4b9b860fe559bd90083a5b618b2643300fa5da12094d111e77dabdcbfe5f7312675206636f235a111e0b6f9ca670cf825e8a6813a8693187457432e4dae68c5be7704a7f5c716bce9c75b96179b583744b0d28
State = 0x37c6679131d5723a9d1ac717c8b684a5
Colubris-AVPair = "ssid=Radius"
Colubris-AVPair = "group=Default Group"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x8a74e1eca7f77b377dacbdf3ec8c1a24
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 19 length 159
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 149
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "cwalonka"
MS-CHAP-Challenge = 0xe1db13f5d45cce97c79199bd3790b982
MS-CHAP2-Response = 0xdd00848963a64af42b41addc23a3202156b00000000000000000403cd5a0ad7604a4b22c4b9c54e7912e23850b2878155faf
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "cwalonka"
MS-CHAP-Challenge = 0xe1db13f5d45cce97c79199bd3790b982
MS-CHAP2-Response = 0xdd00848963a64af42b41addc23a3202156b00000000000000000403cd5a0ad7604a4b22c4b9c54e7912e23850b2878155faf
FreeRADIUS-Proxied-To = 127.0.0.1
Acct-Session-Id = "f9dbf293-00000006"
NAS-Port = 7
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN35D335T4"
NAS-IP-Address = 192.168.2.110
Framed-MTU = 1496
Calling-Station-Id = "88-63-DF-16-A1-C8"
Called-Station-Id = "2C-44-FD-3C-E6-D1"
Service-Type = Framed-User
Colubris-AVPair = "ssid=Radius"
Colubris-AVPair = "group=Default Group"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for cwalonka
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> cwalonka
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=cwalonka)
[ldap] expand: dc=it-economics,dc=de -> dc=it-economics,dc=de
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=it-economics,dc=de, with filter (uid=cwalonka)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA}ylX1rj9cfubaHAFc6XeV1Ne+tBFX36VA"
[ldap] looking for reply items in directory...
[ldap] user cwalonka authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Thanks for your help
回答1:
I realized that it is not necessary put pap configuration when you can authenticate to ldap server. Official documentation says that when you have "passwords" you need pap, but it is not neccesary.
This is my setup in file /etc/raddb/sites-available/default , tested and running from a freeradius 3 connecting to redhat directory 10 (ldap)
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
if (!control:Auth-Type) {
ldap
if (ok && User-Password) {
update {
control:Auth-Type := LDAP
}
}
}
expiration
logintime
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}
回答2:
LDAP module call should be:
authorize {
ldap
if (ok) {
update control {
Auth-Type := LDAP
}
return
}
}
And you must also list LDAP in the authenticate section.
authenticate {
ldap
}
All modules in FreeRADIUS have multiple methods that are called at different request processing stages.
The methods in authorize are for gathering additional subscriber information from databases. The methods in authenticate are for authenticating user credentials, and the methods in post-auth are for setting an authorizational policy (VLANs, session timeouts etc...).
For some modules the authorize method tells the server what module to use for authentication. For others this needs to be done manually.
回答3:
I can't comment on the previous answer as I don't have enough reputation, but I found alternate syntax in this mailing list post., although, that didn't work. Instead I used Auth-Type as a conditional like this:
authorize {
files
if (ok && User-Password) {
update {
control:Auth-Type := pap
}
}
if (!control:Auth-Type) {
ldap_files
ldap
if (ok && User-Password) {
update {
control:Auth-Type := LDAP
}
}
}
pap
}
This seems to achieve my goal of setting the Auth-Type properly as well as being able to limit the modules touched by authorization.
回答4:
Add on /etc/freeradius/3.0/users
the line -
ubuntu version
username Cleartext-Password := "passwordofuser"
And test again.
来源:https://stackoverflow.com/questions/29148473/freeradius-openldap-error-no-authenticate-method-auth-type-found-for-the-re