Thanks for the hint. What would be the best place and way to do this? Putting this before pap in authorize { }: update control { Auth-Type := PAP } does indeed make pap work, but breaks anything else (like eap-mschap). I also tried: if (Control:Auth-Type == "") { update control { Auth-Type := PAP } } and: if (!Control:Auth-Type) { update control { Auth-Type := PAP } } but they don't match. Also, how come it is needed to force pap usage? I thought pap was supposed to always be used when no other mod took care of it (fallthrough). Regards, Bram. Ivan Kalik wrote:
Use unlang to set Auth-Type PAP even if pap returns noop.
Ivan Kalik Kalik Informatika ISP
Dana 28/5/2008, "Bram Matthys (Syzop)" <syzop@vulnscan.org> piše:
While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client software I use [securew2] does not save user credentials with mschap, and does save them with pap. And just to offer more options to other clients). Anyway, I tried to do it using these suggestions (after previously my own attempt failed): http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
in radiusd.conf: exec ntlm_auth_pap { wait = yes input_pairs = request shell_escape = yes output = none program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNET --username=%{User-Name} --password=%{User-Password}" }
then in sites-enabled/inner-tunnel: authenticate { Auth-Type PAP { ntlm_auth_pap }
Actually I did the same in sites-enabled/default as well to see if it helps (didn't matter, of course).
Just, for the record, pap is also in the authorize { } section, listed at the end in that block, as recommended.
But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and to be honest I'm not even sure if pap is picking things up.
I always end up with this:
Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user. Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)
I used this wpa supplicant config for testing with eapol_test: network={ ssid="mynet-test" key_mgmt=WPA-EAP eap=TTLS pairwise=CCMP TKIP group=CCMP TKIP WEP104 WEP40 phase2="auth=PAP" identity="MYNET\myuser" password="xxx" anonymous_identity="anonymous@identity" }
I first tried a different aproach, like putting ntlm_auth_pap in the authorize { } section before pap, and then radius *is* calling ntlm_auth, but then it just goes on and complains about not known the Auth-Type. Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5 Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser Debug: expand: --password=%{User-Password} -> --password=xxx Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Debug: Exec-Program: returned: 0 Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for request 5 Debug: ++[ntlm_auth_pap] returns ok Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Debug: ++[pap] returns noop
I've reverted that attempt before trying everything I mentioned earlier, though.
Regards,
Bram.