Freeradius + Openldap错误:未找到请求的身份验证方法(Auth-Type):拒绝用户 [英] Freeradius + Openldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
本文介绍了Freeradius + Openldap错误:未找到请求的身份验证方法(Auth-Type):拒绝用户的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
在Google搜索几天后,我不得不辞职并问:/
after a couple of days searching in google I have to resign and ask :/
我们使用的是安装了openldap和radius的Debian服务器. 当我使用radtest连接到半径时,一切都很好,但是当我使用访问点(并且连接通过隧道)时,我得到了跟踪结果. 内部隧道看起来像这样:
We're using a debian server with openldap and radius installed. When I connect to the radius using radtest everything is fine, but when I use an accesspoint (and the connection goes through the tunnel) I get the folloing result. The inner-tunnel looks like this:
authorize {
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 134
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 172 to 192.168.2.110 port 33954
EAP-Message = 0x0113004515800000003b14030100010116030100307485d545d269c20cba37d5a8e3f3dda1d7b0d7909407079307a1977c0d4a2a5960f66bd0a04ca5abe9493a46744ba417
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x37c6679131d5723a9d1ac717c8b684a5
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.2.110 port 33954, id=244, length=430
Acct-Session-Id = "f9dbf293-00000006"
NAS-Port = 7
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN35D335T4"
NAS-IP-Address = 192.168.2.110
Framed-MTU = 1496
User-Name = "cwalonka"
Calling-Station-Id = "88-63-DF-16-A1-C8"
Called-Station-Id = "2C-44-FD-3C-E6-D1"
Service-Type = Framed-User
EAP-Message = 0x0213009f1580000000951703010090d5e4e84e029bbae0b1439267d5aafc0d726c399d77cba2eafa00c2a4b017bc8534ce405e39415114d39c5c1ef019a6230fb218df0fb61140d9d9be0a1d4b9b860fe559bd90083a5b618b2643300fa5da12094d111e77dabdcbfe5f7312675206636f235a111e0b6f9ca670cf825e8a6813a8693187457432e4dae68c5be7704a7f5c716bce9c75b96179b583744b0d28
State = 0x37c6679131d5723a9d1ac717c8b684a5
Colubris-AVPair = "ssid=Radius"
Colubris-AVPair = "group=Default Group"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x8a74e1eca7f77b377dacbdf3ec8c1a24
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 19 length 159
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 149
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "cwalonka"
MS-CHAP-Challenge = 0xe1db13f5d45cce97c79199bd3790b982
MS-CHAP2-Response = 0xdd00848963a64af42b41addc23a3202156b00000000000000000403cd5a0ad7604a4b22c4b9c54e7912e23850b2878155faf
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "cwalonka"
MS-CHAP-Challenge = 0xe1db13f5d45cce97c79199bd3790b982
MS-CHAP2-Response = 0xdd00848963a64af42b41addc23a3202156b00000000000000000403cd5a0ad7604a4b22c4b9c54e7912e23850b2878155faf
FreeRADIUS-Proxied-To = 127.0.0.1
Acct-Session-Id = "f9dbf293-00000006"
NAS-Port = 7
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN35D335T4"
NAS-IP-Address = 192.168.2.110
Framed-MTU = 1496
Calling-Station-Id = "88-63-DF-16-A1-C8"
Called-Station-Id = "2C-44-FD-3C-E6-D1"
Service-Type = Framed-User
Colubris-AVPair = "ssid=Radius"
Colubris-AVPair = "group=Default Group"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for cwalonka
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> cwalonka
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=cwalonka)
[ldap] expand: dc=it-economics,dc=de -> dc=it-economics,dc=de
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=it-economics,dc=de, with filter (uid=cwalonka)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA}ylX1rj9cfubaHAFc6XeV1Ne+tBFX36VA"
[ldap] looking for reply items in directory...
[ldap] user cwalonka authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
感谢您的帮助
推荐答案
我意识到,当您可以向ldap服务器进行身份验证时,不必放置pap配置.官方文档说,如果您有密码",则需要pap,但这不是必需的.
I realized that it is not necessary put pap configuration when you can authenticate to ldap server. Official documentation says that when you have "passwords" you need pap, but it is not neccesary.
这是我在文件/etc/raddb/sites-available/default 中进行的设置,经过测试并从与Redhat目录10(ldap)连接的freeradius 3运行
This is my setup in file /etc/raddb/sites-available/default , tested and running from a freeradius 3 connecting to redhat directory 10 (ldap)
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
if (!control:Auth-Type) {
ldap
if (ok && User-Password) {
update {
control:Auth-Type := LDAP
}
}
}
expiration
logintime
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}
这篇关于Freeradius + Openldap错误:未找到请求的身份验证方法(Auth-Type):拒绝用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
