EAP-TTLS w/PAP using ntlm_auth
While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client software I use [securew2] does not save user credentials with mschap, and does save them with pap. And just to offer more options to other clients). Anyway, I tried to do it using these suggestions (after previously my own attempt failed): http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html in radiusd.conf: exec ntlm_auth_pap { wait = yes input_pairs = request shell_escape = yes output = none program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNET --username=%{User-Name} --password=%{User-Password}" } then in sites-enabled/inner-tunnel: authenticate { Auth-Type PAP { ntlm_auth_pap } Actually I did the same in sites-enabled/default as well to see if it helps (didn't matter, of course). Just, for the record, pap is also in the authorize { } section, listed at the end in that block, as recommended. But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and to be honest I'm not even sure if pap is picking things up. I always end up with this: Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user. Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel) I used this wpa supplicant config for testing with eapol_test: network={ ssid="mynet-test" key_mgmt=WPA-EAP eap=TTLS pairwise=CCMP TKIP group=CCMP TKIP WEP104 WEP40 phase2="auth=PAP" identity="MYNET\myuser" password="xxx" anonymous_identity="anonymous@identity" } I first tried a different aproach, like putting ntlm_auth_pap in the authorize { } section before pap, and then radius *is* calling ntlm_auth, but then it just goes on and complains about not known the Auth-Type. Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5 Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser Debug: expand: --password=%{User-Password} -> --password=xxx Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Debug: Exec-Program: returned: 0 Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for request 5 Debug: ++[ntlm_auth_pap] returns ok Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Debug: ++[pap] returns noop I've reverted that attempt before trying everything I mentioned earlier, though. Regards, Bram.
Use unlang to set Auth-Type PAP even if pap returns noop. Ivan Kalik Kalik Informatika ISP Dana 28/5/2008, "Bram Matthys (Syzop)" <syzop@vulnscan.org> piše:
While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client software I use [securew2] does not save user credentials with mschap, and does save them with pap. And just to offer more options to other clients). Anyway, I tried to do it using these suggestions (after previously my own attempt failed): http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
in radiusd.conf: exec ntlm_auth_pap { wait = yes input_pairs = request shell_escape = yes output = none program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNET --username=%{User-Name} --password=%{User-Password}" }
then in sites-enabled/inner-tunnel: authenticate { Auth-Type PAP { ntlm_auth_pap }
Actually I did the same in sites-enabled/default as well to see if it helps (didn't matter, of course).
Just, for the record, pap is also in the authorize { } section, listed at the end in that block, as recommended.
But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and to be honest I'm not even sure if pap is picking things up.
I always end up with this:
Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user. Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)
I used this wpa supplicant config for testing with eapol_test: network={ ssid="mynet-test" key_mgmt=WPA-EAP eap=TTLS pairwise=CCMP TKIP group=CCMP TKIP WEP104 WEP40 phase2="auth=PAP" identity="MYNET\myuser" password="xxx" anonymous_identity="anonymous@identity" }
I first tried a different aproach, like putting ntlm_auth_pap in the authorize { } section before pap, and then radius *is* calling ntlm_auth, but then it just goes on and complains about not known the Auth-Type. Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5 Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser Debug: expand: --password=%{User-Password} -> --password=xxx Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Debug: Exec-Program: returned: 0 Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for request 5 Debug: ++[ntlm_auth_pap] returns ok Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Debug: ++[pap] returns noop
I've reverted that attempt before trying everything I mentioned earlier, though.
Regards,
Bram.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for the hint. What would be the best place and way to do this? Putting this before pap in authorize { }: update control { Auth-Type := PAP } does indeed make pap work, but breaks anything else (like eap-mschap). I also tried: if (Control:Auth-Type == "") { update control { Auth-Type := PAP } } and: if (!Control:Auth-Type) { update control { Auth-Type := PAP } } but they don't match. Also, how come it is needed to force pap usage? I thought pap was supposed to always be used when no other mod took care of it (fallthrough). Regards, Bram. Ivan Kalik wrote:
Use unlang to set Auth-Type PAP even if pap returns noop.
Ivan Kalik Kalik Informatika ISP
Dana 28/5/2008, "Bram Matthys (Syzop)" <syzop@vulnscan.org> piše:
While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client software I use [securew2] does not save user credentials with mschap, and does save them with pap. And just to offer more options to other clients). Anyway, I tried to do it using these suggestions (after previously my own attempt failed): http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
in radiusd.conf: exec ntlm_auth_pap { wait = yes input_pairs = request shell_escape = yes output = none program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNET --username=%{User-Name} --password=%{User-Password}" }
then in sites-enabled/inner-tunnel: authenticate { Auth-Type PAP { ntlm_auth_pap }
Actually I did the same in sites-enabled/default as well to see if it helps (didn't matter, of course).
Just, for the record, pap is also in the authorize { } section, listed at the end in that block, as recommended.
But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and to be honest I'm not even sure if pap is picking things up.
I always end up with this:
Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user. Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)
I used this wpa supplicant config for testing with eapol_test: network={ ssid="mynet-test" key_mgmt=WPA-EAP eap=TTLS pairwise=CCMP TKIP group=CCMP TKIP WEP104 WEP40 phase2="auth=PAP" identity="MYNET\myuser" password="xxx" anonymous_identity="anonymous@identity" }
I first tried a different aproach, like putting ntlm_auth_pap in the authorize { } section before pap, and then radius *is* calling ntlm_auth, but then it just goes on and complains about not known the Auth-Type. Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5 Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser Debug: expand: --password=%{User-Password} -> --password=xxx Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Debug: Exec-Program: returned: 0 Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for request 5 Debug: ++[ntlm_auth_pap] returns ok Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Debug: ++[pap] returns noop
I've reverted that attempt before trying everything I mentioned earlier, though.
Regards,
Bram.
= not :=. Or check if Auth-Type already exists. Ivan Kalik Kalik Informatika ISP Dana 29/5/2008, "Bram Matthys (Syzop)" <syzop@vulnscan.org> piše:
Thanks for the hint. What would be the best place and way to do this?
Putting this before pap in authorize { }: update control { Auth-Type := PAP } does indeed make pap work, but breaks anything else (like eap-mschap).
I also tried: if (Control:Auth-Type == "") { update control { Auth-Type := PAP } } and: if (!Control:Auth-Type) { update control { Auth-Type := PAP } } but they don't match.
Also, how come it is needed to force pap usage? I thought pap was supposed to always be used when no other mod took care of it (fallthrough).
Regards,
Bram.
Ivan Kalik wrote:
Use unlang to set Auth-Type PAP even if pap returns noop.
Ivan Kalik Kalik Informatika ISP
Dana 28/5/2008, "Bram Matthys (Syzop)" <syzop@vulnscan.org> piše:
While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client software I use [securew2] does not save user credentials with mschap, and does save them with pap. And just to offer more options to other clients). Anyway, I tried to do it using these suggestions (after previously my own attempt failed): http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
in radiusd.conf: exec ntlm_auth_pap { wait = yes input_pairs = request shell_escape = yes output = none program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNET --username=%{User-Name} --password=%{User-Password}" }
then in sites-enabled/inner-tunnel: authenticate { Auth-Type PAP { ntlm_auth_pap }
Actually I did the same in sites-enabled/default as well to see if it helps (didn't matter, of course).
Just, for the record, pap is also in the authorize { } section, listed at the end in that block, as recommended.
But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and to be honest I'm not even sure if pap is picking things up.
I always end up with this:
Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user. Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)
I used this wpa supplicant config for testing with eapol_test: network={ ssid="mynet-test" key_mgmt=WPA-EAP eap=TTLS pairwise=CCMP TKIP group=CCMP TKIP WEP104 WEP40 phase2="auth=PAP" identity="MYNET\myuser" password="xxx" anonymous_identity="anonymous@identity" }
I first tried a different aproach, like putting ntlm_auth_pap in the authorize { } section before pap, and then radius *is* calling ntlm_auth, but then it just goes on and complains about not known the Auth-Type. Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5 Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser Debug: expand: --password=%{User-Password} -> --password=xxx Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Debug: Exec-Program: returned: 0 Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for request 5 Debug: ++[ntlm_auth_pap] returns ok Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Debug: ++[pap] returns noop
I've reverted that attempt before trying everything I mentioned earlier, though.
Regards,
Bram.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok... I took Alan's advise of taking it out of pap, my config is now: authenticate { .. ntlm_auth_pap and authorize { ..(near the end).. ntlm_auth_pap I then tried the following statements right before ntlm_auth_pap in authorize (you said to check if Auth-Type exists, this is the correct way to do that, right?): if (!Control:Auth-Type) { update control { Auth-Type = ntlm_auth_pap } } this results in: Thu May 29 13:01:47 2008 : Debug: ++? if (!Control:Auth-Type) Thu May 29 13:01:47 2008 : Debug: ? Evaluating !(Control:Auth-Type) -> TRUE Thu May 29 13:01:47 2008 : Debug: ++? if (!Control:Auth-Type) -> FALSE and I tried this: if (Control:Auth-Type == "") { update control { Auth-Type = ntlm_auth_pap } } which resulted in: Thu May 29 13:04:45 2008 : Debug: ++[logintime] returns noop Thu May 29 13:04:45 2008 : Debug: ++? if (Control:Auth-Type == "") Thu May 29 13:04:45 2008 : Debug: ? Evaluating (Control:Auth-Type == "") -> FALSE Thu May 29 13:04:45 2008 : Debug: ++? if (Control:Auth-Type == "") -> FALSE Now, for the record, this is what I now get.. a bit more verbose: Thu May 29 13:05:27 2008 : Debug: ++? if (!Control:Auth-Type) Thu May 29 13:05:27 2008 : Debug: ? Evaluating !(Control:Auth-Type) -> TRUE Thu May 29 13:05:27 2008 : Debug: ++? if (!Control:Auth-Type) -> FALSE Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5 Thu May 29 13:05:27 2008 : Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser Thu May 29 13:05:27 2008 : Debug: expand: --password=%{User-Password} -> --password=xxx Thu May 29 13:05:27 2008 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Thu May 29 13:05:27 2008 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Thu May 29 13:05:27 2008 : Debug: Exec-Program: returned: 0 Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for request 5 Thu May 29 13:05:27 2008 : Debug: ++[ntlm_auth_pap] returns ok Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Thu May 29 13:05:27 2008 : Debug: ++[pap] returns noop Thu May 29 13:05:27 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Thu May 29 13:05:27 2008 : Debug: auth: Failed to validate the user. Thanks for your time / Regards, Bram. PS: I also tried 'if (!(Control:Auth-Type))' just in case, but same problem. Ivan Kalik wrote:
= not :=. Or check if Auth-Type already exists.
Ivan Kalik Kalik Informatika ISP
Dana 29/5/2008, "Bram Matthys (Syzop)" <syzop@vulnscan.org> piše:
Thanks for the hint. What would be the best place and way to do this?
Putting this before pap in authorize { }: update control { Auth-Type := PAP } does indeed make pap work, but breaks anything else (like eap-mschap).
I also tried: if (Control:Auth-Type == "") { update control { Auth-Type := PAP } } and: if (!Control:Auth-Type) { update control { Auth-Type := PAP } } but they don't match.
Also, how come it is needed to force pap usage? I thought pap was supposed to always be used when no other mod took care of it (fallthrough).
Regards,
Bram.
Ivan Kalik wrote:
Use unlang to set Auth-Type PAP even if pap returns noop.
Ivan Kalik Kalik Informatika ISP
Dana 28/5/2008, "Bram Matthys (Syzop)" <syzop@vulnscan.org> piše:
While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client software I use [securew2] does not save user credentials with mschap, and does save them with pap. And just to offer more options to other clients). Anyway, I tried to do it using these suggestions (after previously my own attempt failed): http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
in radiusd.conf: exec ntlm_auth_pap { wait = yes input_pairs = request shell_escape = yes output = none program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYNET --username=%{User-Name} --password=%{User-Password}" }
then in sites-enabled/inner-tunnel: authenticate { Auth-Type PAP { ntlm_auth_pap }
Actually I did the same in sites-enabled/default as well to see if it helps (didn't matter, of course).
Just, for the record, pap is also in the authorize { } section, listed at the end in that block, as recommended.
But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and to be honest I'm not even sure if pap is picking things up.
I always end up with this:
Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user. Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)
I used this wpa supplicant config for testing with eapol_test: network={ ssid="mynet-test" key_mgmt=WPA-EAP eap=TTLS pairwise=CCMP TKIP group=CCMP TKIP WEP104 WEP40 phase2="auth=PAP" identity="MYNET\myuser" password="xxx" anonymous_identity="anonymous@identity" }
I first tried a different aproach, like putting ntlm_auth_pap in the authorize { } section before pap, and then radius *is* calling ntlm_auth, but then it just goes on and complains about not known the Auth-Type. Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5 Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser Debug: expand: --password=%{User-Password} -> --password=xxx Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Debug: Exec-Program: returned: 0 Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for request 5 Debug: ++[ntlm_auth_pap] returns ok Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 Debug: ++[pap] returns noop
I've reverted that attempt before trying everything I mentioned earlier, though.
Regards,
Bram.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I then tried the following statements right before ntlm_auth_pap in authorize (you said to check if Auth-Type exists, this is the correct way to do that, right?): if (!Control:Auth-Type) { update control { Auth-Type = ntlm_auth_pap } }
http://www.freeradius.org/radiusd/man/unlang.html Read the bit about variables. Ivan Kalik Kalik Informatika ISP
Bram Matthys (Syzop) wrote:
Thanks for the hint. What would be the best place and way to do this?
Putting this before pap in authorize { }: update control { Auth-Type := PAP } does indeed make pap work, but breaks anything else (like eap-mschap).
Use '='. See "man unlang". This IS documented.
Also, how come it is needed to force pap usage? I thought pap was supposed to always be used when no other mod took care of it (fallthrough).
You don't. You've managed to put the "ntml_auth_pap" program into the "pap" Auth-Type, for reasons I don't understand. Why not just call it ntlm_auth_pap? After all, they're *different*. The do NOT do the same thing. The reason you need for force Auth-Type here is that the PAP module sets "Auth-Type = PAP" ONLY when BOTH of the following apply: a) no other module has already set Auth-Type b) there is a "known good" password in the control item list. In your case, (b) isn't true. If you run the server in debugging mode, the pap module will TELL YOU that it is not setting Auth-Type to PAP, and it will say WHY it is doing this. In your case, you are using the ntlm_auth_pap program as an "authentication oracle". See: http://deployingradius.com/documents/protocols/oracles.html It even lists "ntlm_auth" in the table. Alan DeKok.
Hi Alan, Alan DeKok wrote:
Bram Matthys (Syzop) wrote:
Thanks for the hint. What would be the best place and way to do this?
Putting this before pap in authorize { }: update control { Auth-Type := PAP } does indeed make pap work, but breaks anything else (like eap-mschap).
Use '='. See "man unlang". This IS documented.
Right.
Also, how come it is needed to force pap usage? I thought pap was supposed to always be used when no other mod took care of it (fallthrough).
You don't. You've managed to put the "ntml_auth_pap" program into the "pap" Auth-Type, for reasons I don't understand. Why not just call it ntlm_auth_pap? After all, they're *different*. The do NOT do the same thing.
That's what I did first, because it makes sense and sounds logical, but didn't get it working, as said in my original mail: it ran the program succesfully but then simply went on with other mods and in the end complaining about no auth-type being set. Anyway, when that didn't work I then saw a message from you (also mentioned in my original mail): http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html So I thought I'd give that a try. Could be that your suggestion there is for another type of configuration, but if that were the case then that wasn't clear to me.
The reason you need for force Auth-Type here is that the PAP module sets "Auth-Type = PAP" ONLY when BOTH of the following apply:
a) no other module has already set Auth-Type b) there is a "known good" password in the control item list.
In your case, (b) isn't true.
Correct.
If you run the server in debugging mode, the pap module will TELL YOU that it is not setting Auth-Type to PAP, and it will say WHY it is doing this.
In your case, you are using the ntlm_auth_pap program as an "authentication oracle". See:
http://deployingradius.com/documents/protocols/oracles.html
It even lists "ntlm_auth" in the table.
Yup. Saw that page. Regards, Bram.
Bram Matthys (Syzop) wrote:
You don't. You've managed to put the "ntml_auth_pap" program into the "pap" Auth-Type, for reasons I don't understand. Why not just call it ntlm_auth_pap? After all, they're *different*. The do NOT do the same thing.
That's what I did first, because it makes sense and sounds logical, but didn't get it working, as said in my original mail: it ran the program succesfully but then simply went on with other mods and in the end complaining about no auth-type being set.
I don't think you got my point. If you want to AUTHENTICATE using ntlm_auth_pap... then call it in the AUTHENTICATION section. Calling it in the AUTHORIZATION section is not AUTHENTICATION. You need to: a) set Auth-Type = ntlm_auth_pap in the authorize{} section which you are doing... sort of... using Auth-Type := PAP b) have an "Auth-Type ntlm_auth_pap" subsection in the authenticate{} section, which you are doing... sort of... using Auth-Type PAP.
Could be that your suggestion there is for another type of configuration, but if that were the case then that wasn't clear to me.
Yes. Don't mangle the existing configuration. PAP is for PAP. If you want a different Auth-Type, give it a different name. There is nothing magic about the PAP name. You don't have to put all custom authentication modules into the PAP subsection of the authenticate section. Alan DeKok.
Alan DeKok wrote:
I don't think you got my point. If you want to AUTHENTICATE using ntlm_auth_pap... then call it in the AUTHENTICATION section. Calling it in the AUTHORIZATION section is not AUTHENTICATION.
You need to:
a) set Auth-Type = ntlm_auth_pap in the authorize{} section which you are doing... sort of... using Auth-Type := PAP b) have an "Auth-Type ntlm_auth_pap" subsection in the authenticate{} section, which you are doing... sort of... using Auth-Type PAP. [..]
You're right. I'll be using a separate one from now on.
I then tried the following statements right before ntlm_auth_pap in
authorize (you said to check if Auth-Type exists, this is the correct way to do that, right?): if (!Control:Auth-Type) { update control { Auth-Type = ntlm_auth_pap } }
Ok, the syntax was correct, except it should have been control instead of Control.. which was the problem ;). Now everything is working fine, both pap and eap-mschapv2. Thanks all for your help! Bram.
participants (3)
-
Alan DeKok -
Bram Matthys (Syzop) -
Ivan Kalik