realm not found

[rune.t...@gmail.com]

hi team,
in my case I have users who use their userPrincipalName to logon and they have many different suffixes such as du...@nukem.com and ja...@honda.com and s...@speed.com you get the idea...

when I try to logon freeradius I get realm not found, I want to pass the entire username (userPrincipalName attribute) to the LinOTP for authentication.

where do I configure this? I am stuck with the below:

Wed Jul 1 06:35:14 2015 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 101.11.51.101 port 54389, id=0, length=95
Message-Authenticator = 0xb0b242861ef2dddd2a5273c50df65fbb
User-Name = "du...@nukem.com"
User-Password = "1234"
NAS-Identifier = "ctxsg.mydomain.com"
NAS-IP-Address = 101.11.51.101
Wed Jul 1 06:35:29 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/linotp
Wed Jul 1 06:35:29 2015 : Info: +- entering group authorize {...}
Wed Jul 1 06:35:29 2015 : Info: ++[preprocess] returns ok
Wed Jul 1 06:35:29 2015 : Info: [suffix] Looking up realm "nukem.com" for User-Name = "du...@nukem.com"
Wed Jul 1 06:35:29 2015 : Info: [suffix] No such realm "nukem.com"
Wed Jul 1 06:35:29 2015 : Info: ++[suffix] returns noop
Wed Jul 1 06:35:29 2015 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Jul 1 06:35:29 2015 : Info: ++[pap] returns noop
Wed Jul 1 06:35:29 2015 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Wed Jul 1 06:35:29 2015 : Info: Failed to authenticate the user.

[Mirko Ahnert]

Dear Rune,

you have two options here:

1. try to add the realm to the login name: t...@nukem.com@realm1 (this will work correctly in the upcoming patch release)

or

2. try to deactivate the interpretation of the string after the last @ as realm:

Go to the token management web interface --> "LinOTP Config" --> "System config" --> "splitAtSign"

Last solution should work in the current release but the downside is that the user has to be in the default realm.

Best regards,

Mirko

-- 

Mirko Ahnert 

LSE Leading Security Experts GmbH, http://www.lsexperts.de 

Postfach 100121, 64201 Darmstadt, Germany 

Zentrale: +49 6151 86086-0 , Fax: -299 

Support Hotline: +49 6151 86086-115 

Unternehmenssitz: Weiterstadt Amtsgericht Darmstadt: HRB8649 

Geschäftsführer: Oliver Michel, Sven Walther 

[Rune Tipsmark]

hi Mirko, none of these would work for me.

1. I carry the username on from the citrix site login, this is the userPrincipalName and cannot have @realm appended since.

2. I have one realm only named "myrealm". All users regardless of their userPrincipalName is in this realm as they are in the same Active Directory. I tried to remove the "split" but the result is the same. The realm does not match the prefix after @ for any user.

I was able to do this with OpenOTP, so it should be possible with LinOTP as well?

[Mirko Ahnert]

Hi Rune,

the second solution should work. But reading your error messages again it seems to me to be a configuration issue with FreeRADIUS:

Wed Jul  1 06:35:29 2015 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user

Could you please check, whether LinOTP does see any authentication request? Do you use the LSE Appliance or which way did you install LinOTP? How does the FreeRADIUS configuration look like, especially in /etc/freeradius/users? Is it possible to authenticate a user with a "regular" username from a test UserIdResolver (e.g. /etc/passwd) via FreeRADIUS?

Greetings,

Mirko

-- 

Mirko Ahnert 

LSE Leading Security Experts GmbH, http://www.lsexperts.de 

Postfach 100121, 64201 Darmstadt, Germany 

Zentrale: +49 6151 86086-0 , Fax: -299 

Support Hotline: +49 6151 86086-115 

Unternehmenssitz: Weiterstadt Amtsgericht Darmstadt: HRB8649 

Geschäftsführer: Oliver Michel, Sven Walther