Ok... I took Alan's advise of taking it out of pap, my config is now: authenticate { .. ntlm_auth_pap and authorize { ..(near the end).. ntlm_auth_pap I then tried the following statements right before ntlm_auth_pap in authorize (you said to check if Auth-Type exists, this is the correct way to do that, right?): if (!Control:Auth-Type) { update control { Auth-Type = ntlm_auth_pap } } this results in: Thu May 29 13:01:47 2008 : Debug: ++? if (!Control:Auth-Type) Thu May 29 13:01:47 2008 : Debug: ? Evaluating !(Control:Auth-Type) -> TRUE Thu May 29 13:01:47 2008 : Debug: ++? if (!Control:Auth-Type) -> FALSE and I tried this: if (Control:Auth-Type == "") { update control { Auth-Type = ntlm_auth_pap } } which resulted in: Thu May 29 13:04:45 2008 : Debug: ++[logintime] returns noop Thu May 29 13:04:45 2008 : Debug: ++? if (Control:Auth-Type == "") Thu May 29 13:04:45 2008 : Debug: ? Evaluating (Control:Auth-Type == "") -> FALSE Thu May 29 13:04:45 2008 : Debug: ++? if (Control:Auth-Type == "") -> FALSE Now, for the record, this is what I now get.. a bit more verbose: Thu May 29 13:05:27 2008 : Debug: ++? if (!Control:Auth-Type) Thu May 29 13:05:27 2008 : Debug: ? Evaluating !(Control:Auth-Type) -> TRUE Thu May 29 13:05:27 2008 : Debug: ++? if (!Control:Auth-Type) -> FALSE Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5 Thu May 29 13:05:27 2008 : Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser Thu May 29 13:05:27 2008 : Debug: expand: --password=%{User-Password} -> --password=xxx Thu May 29 13:05:27 2008 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Thu May 29 13:05:27 2008 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Thu May 29 13:05:27 2008 : Debug: Exec-Program: returned: 0 Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for request 5 Thu May 29 13:05:27 2008 : Debug: ++[ntlm_auth_pap] returns ok Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Thu May 29 13:05:27 2008 : Debug: ++[pap] returns noop Thu May 29 13:05:27 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Thu May 29 13:05:27 2008 : Debug: auth: Failed to validate the user. Thanks for your time / Regards, Bram. PS: I also tried 'if (!(Control:Auth-Type))' just in case, but same problem. Ivan Kalik wrote:
= not :=. Or check if Auth-Type already exists.
Ivan Kalik Kalik Informatika ISP
Dana 29/5/2008, "Bram Matthys (Syzop)" <syzop@vulnscan.org> piše:
Thanks for the hint. What would be the best place and way to do this?
Putting this before pap in authorize { }: update control { Auth-Type := PAP } does indeed make pap work, but breaks anything else (like eap-mschap).
I also tried: if (Control:Auth-Type == "") { update control { Auth-Type := PAP } } and: if (!Control:Auth-Type) { update control { Auth-Type := PAP } } but they don't match.
Also, how come it is needed to force pap usage? I thought pap was supposed to always be used when no other mod took care of it (fallthrough).
Regards,
Bram.
Ivan Kalik wrote:
Use unlang to set Auth-Type PAP even if pap returns noop.
Ivan Kalik Kalik Informatika ISP
Dana 28/5/2008, "Bram Matthys (Syzop)" <syzop@vulnscan.org> piše:
While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client software I use [securew2] does not save user credentials with mschap, and does save them with pap. And just to offer more options to other clients). Anyway, I tried to do it using these suggestions (after previously my own attempt failed): http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
in radiusd.conf: exec ntlm_auth_pap { wait = yes input_pairs = request shell_escape = yes output = none program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNET --username=%{User-Name} --password=%{User-Password}" }
then in sites-enabled/inner-tunnel: authenticate { Auth-Type PAP { ntlm_auth_pap }
Actually I did the same in sites-enabled/default as well to see if it helps (didn't matter, of course).
Just, for the record, pap is also in the authorize { } section, listed at the end in that block, as recommended.
But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and to be honest I'm not even sure if pap is picking things up.
I always end up with this:
Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user. Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)
I used this wpa supplicant config for testing with eapol_test: network={ ssid="mynet-test" key_mgmt=WPA-EAP eap=TTLS pairwise=CCMP TKIP group=CCMP TKIP WEP104 WEP40 phase2="auth=PAP" identity="MYNET\myuser" password="xxx" anonymous_identity="anonymous@identity" }
I first tried a different aproach, like putting ntlm_auth_pap in the authorize { } section before pap, and then radius *is* calling ntlm_auth, but then it just goes on and complains about not known the Auth-Type. Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5 Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser Debug: expand: --password=%{User-Password} -> --password=xxx Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Debug: Exec-Program: returned: 0 Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for request 5 Debug: ++[ntlm_auth_pap] returns ok Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Debug: ++[pap] returns noop
I've reverted that attempt before trying everything I mentioned earlier, though.
Regards,
Bram.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html