In eap.conf, for eap-ttls there is a line<br><br>virtual_server = "inner-tunnel"<br><br>I put this part of your code in /etc/freeradius/sites-enabled/inner-tunnel and /etc/freeradius/sites-available/inner-tunnel files, like this <br>
<br>Auth-Type PAP<br>{<br> pap<br>}<br><br>if(!control:Auth-Type) {<br>
update control {<br>
Auth-Type = ntlm_auth_pap<br>
}<br>
}<br><br>and when I try to restart the server, I get following error:<br><br><font size="4"><code><span style="color: rgb(0, 0, 0);">radiusd: #### Loading Virtual Servers ####
<br>server inner-tunnel {
<br> modules {
<br> Module: Checking authenticate {...} for more modules to load
<br> Module: Linked to module rlm_pap
<br> Module: Instantiating pap
<br> pap {
<br> encryption_scheme = "auto"
<br> auto_header = no
<br> }
<br>/etc/freeradius/sites-enabled/inner-tunnel[186]: ERROR: Unknown value ntlm_auth_pap for attribute Auth-Type
<br>/etc/freeradius/sites-enabled/inner-tunnel[185]: Failed to parse "update" subsection.
<br>/etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section.
<br>Errors initializing modules</span></code></font><br><br><font face="arial,helvetica,sans-serif"><font size="2">Sorry if I am asking stupid questions, but </font></font>I am new to linux and freeradius, and this is all so confusing for me :) What I am doing wrong?<br>
<br><br><div class="gmail_quote">On Fri, Jun 26, 2009 at 00:03, Ivan Kalik <span dir="ltr"><<a href="mailto:tnt@kalik.net">tnt@kalik.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">> First, thanks Alan for your help, I managed to make it work with AD. Now I<br>
> want to try to test to make EAP-TTLS with PAP to authenticate users in<br>
> domain. I saw this link<br>
> <a href="http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html" target="_blank">http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html</a><br>
><br>
> So I added following lines to modules section of radiusd.conf<br>
><br>
> exec ntlm_auth_pap {<br>
> wait = yes<br>
> input_pairs = request<br>
> shell_escape = yes<br>
> output = none<br>
><br>
> program = "/path/to/ntlm_auth --username=%{User-Name} --domain=EXCHANGE<br>
> --password=%{User-Password}"<br>
> }<br>
><br>
> and I edited /etc/freeradius/sites-available/default file and<br>
> /etc/freeradius/sites-enabled/default, section authenticate to<br>
><br>
> Auth-Type PAP<br>
> {<br>
> ntlm_auth_pap<br>
> }<br>
<br>
</div>Don't do that. One - it's a wrong virtual server and two - it's not going<br>
to work. Use the same technique as in the guide for pap requests. List<br>
ntlm_auth_pap in authenticate section of inner-tunnel virtual server (look<br>
at ttls section of eap.conf and you will see where will inner tunnel<br>
requests end up). Forcing Auth-Type in users file might break a few things<br>
so add this to authenticate section of inner-tunnel virtual server *after*<br>
pap instead:<br>
<br>
if(!control:Auth-Type) {<br>
update control {<br>
Auth-Type = ntlm_auth_pap<br>
}<br>
}<br>
<br>
That will set Auth-Type to ntlm_auth_pap for a pap inner tunnel request if<br>
password is nowhere to be found.<br>
<font color="#888888"><br>
Ivan Kalik<br>
Kalik Informatika ISP<br>
</font><div><div></div><div class="h5"><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br>