In eap.conf, for eap-ttls there is a line

virtual_server = "inner-tunnel"

I put this part of your code in /etc/freeradius/sites-enabled/inner-tunnel and /etc/freeradius/sites-available/inner-tunnel files, like this

Auth-Type PAP
{
      pap
}

if(!control:Auth-Type) {
    update control {
         Auth-Type = ntlm_auth_pap
    }
}

and when I try to restart the server, I get following error:

radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
    encryption_scheme = "auto"
    auto_header = no
  }
/etc/freeradius/sites-enabled/inner-tunnel[186]: ERROR: Unknown value ntlm_auth_pap for attribute Auth-Type
/etc/freeradius/sites-enabled/inner-tunnel[185]: Failed to parse "update" subsection.
/etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. 
Errors initializing modules


Sorry if I am asking stupid questions, but I am new to linux and freeradius, and this is all so confusing for me :) What I am doing wrong?


On Fri, Jun 26, 2009 at 00:03, Ivan Kalik <tnt@kalik.net> wrote:
> First, thanks Alan for your help, I managed to make it work with AD. Now I
> want to try to test to make EAP-TTLS with PAP to authenticate users in
> domain. I saw this link
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html
>
> So I added following lines to modules section of radiusd.conf
>
>  exec ntlm_auth_pap {
>               wait = yes
>               input_pairs = request
>               shell_escape = yes
>               output = none
>
>               program = "/path/to/ntlm_auth --username=%{User-Name} --domain=EXCHANGE
> --password=%{User-Password}"
>   }
>
> and I edited /etc/freeradius/sites-available/default file and
> /etc/freeradius/sites-enabled/default, section authenticate to
>
> Auth-Type PAP
> {
> ntlm_auth_pap
> }

Don't do that. One - it's a wrong virtual server and two - it's not going
to work. Use the same technique as in the guide for pap requests. List
ntlm_auth_pap in authenticate section of inner-tunnel virtual server (look
at ttls section of eap.conf and you will see where will inner tunnel
requests end up). Forcing Auth-Type in users file might break a few things
so add this to authenticate section of inner-tunnel virtual server *after*
pap instead:

if(!control:Auth-Type) {
    update control {
         Auth-Type = ntlm_auth_pap
    }
}

That will set Auth-Type to ntlm_auth_pap for a pap inner tunnel request if
password is nowhere to be found.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html