EAP-TTLS + PAP with external script

Tue May 13 17:03:45 CEST 2008

I'm trying to use an external php script to authenticate users connecting to an Access Point.
Protocol used is EAP-TTLS with PAP as inner authentication protocol.

The relevant parts of config file i use is:

********** radiusd.conf *************
modules {
        pap {
                auto_header = yes
        }
       exec test {
                wait = yes
                program = "/usr/local/bin/php -f /etc/raddb/radiusaccess.php"
                input_pairs = request
                output_pairs = reply
        }
}

authorize {
        preprocess
        suffix
        eap
        pap
}

authenticate {
        Auth-Type PAP {
                test
        }
        eap
}

************* END radiusd.conf **********

When i try to connect the TTLS comunication seems to work fine but
this is the relevan ouput of radiusd -X at the final steps

************ radiusd -X *****************
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
  TTLS: Got tunneled request
        User-Name = "testa"
        User-Password = "testb"
        FreeRADIUS-Proxied-To = 127.0.0.1
  TTLS: Sending tunneled request
        User-Name = "testa"
        User-Password = "testb"
        FreeRADIUS-Proxied-To = 127.0.0.1
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Id = "wlan1"
        Calling-Station-Id = "00-13-49-71-85-68"
        Called-Station-Id = "00-80-48-47-6B-E1:comune_segrate_milano_oltre"
        NAS-Identifier = "AP2"
        NAS-IP-Address = 192.168.11.168
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
  modcall[authorize]: module "preprocess" returns ok for request 9
    rlm_realm: No '@' in User-Name = "testa", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 9
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 9
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 9
modcall: leaving group authorize (returns ok) for request 9
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
  TTLS: Got tunneled reply RADIUS code 3
  TTLS: Got tunneled Access-Reject
 rlm_eap: Handler failed in EAP/ttls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 9
modcall: leaving group authenticate (returns invalid) for request 9
auth: Failed to validate the user.
Delaying request 9 for 1 seconds
Finished request 9
************************ END radiusd -X ******************

As you can see there is the message:
"rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 9"
So the php script for pap authorization is not even executed.
Maybe there is something i missed in configuration?

Thanx
Maccari Dario
_________________________________________________________________
Discover the new Windows Vista
http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE