EAP-TTLS (PAP) with Win2K3 domain not working
First, thanks Alan for your help, I managed to make it work with AD. Now I want to try to test to make EAP-TTLS with PAP to authenticate users in domain. I saw this link http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg004... So I added following lines to modules section of radiusd.conf exec ntlm_auth_pap { wait = yes input_pairs = request shell_escape = yes output = none program = "/path/to/ntlm_auth --username=%{User-Name} --domain=EXCHANGE --password=%{User-Password}" } and I edited /etc/freeradius/sites-available/default file and /etc/freeradius/sites-enabled/default, section authenticate to Auth-Type PAP { ntlm_auth_pap } But when user tries to connect, I get following error: [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "testuser" User-Password = "testuserpass" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "testuser" User-Password = "testuserpass" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject SSL: Removing session 963d9312e7948dc613d384208137728dce44b3071923bb0c257aeaf9229a1a95 from the cache [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. If someone can help, that would be great. Thanks once again for your help with my previous question folks, I really appreciate it.
Hi,
exec ntlm_auth_pap { wait = yes input_pairs = request shell_escape = yes output = none
program = "/path/to/ntlm_auth --username=%{User-Name} --domain=EXCHANGE --password=%{User-Password}" ^^^^^^^^^^^^
i really do hope that you changed that bit to be the correct $PATH for your ntlm_auth command
and I edited /etc/freeradius/sites-available/default file and /etc/freeradius/sites-enabled/default, section authenticate to
Auth-Type PAP { ntlm_auth_pap }
no. this is TTLS, so this is going to occur in the inner-tunnel unless you've really cooked up your config is some wierd way. a default install will use the inner-tunnel sites-enabled file - put your ntlm_auth_pap stuff into that file.
server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user. } # server inner-tunnel
see. inner-tunnel. you arent dealing with the user properly alan
Sorry, I just c/p that line from other link here is mine exec ntlm_auth_pap { wait = yes input_pairs = request shell_excape = yes output = none program = "/usr/bin/ntlm_auth --request-nt-key --domain=EXCHANGE --username=%{mschap:User-Name} --password=%{User-Password}" } should domain field be pre-windows 2000/NT name or fqdn? (domain.com) Also, I didn't get you quite well, I am new to both linux and freeradius, should I set following Auth-Type PAP { ntlm_auth_pap } in authenticate section of /etc/freeradius/sites-enabled/inner-tunnel and /etc/freeradius/sites-available/inner-tunnel files? Thanks for all your help On Thu, Jun 25, 2009 at 18:43, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
exec ntlm_auth_pap { wait = yes input_pairs = request shell_escape = yes output = none
program = "/path/to/ntlm_auth --username=%{User-Name} --domain=EXCHANGE --password=%{User-Password}" ^^^^^^^^^^^^
i really do hope that you changed that bit to be the correct $PATH for your ntlm_auth command
and I edited /etc/freeradius/sites-available/default file and /etc/freeradius/sites-enabled/default, section authenticate to
Auth-Type PAP { ntlm_auth_pap }
no. this is TTLS, so this is going to occur in the inner-tunnel unless you've really cooked up your config is some wierd way. a default install will use the inner-tunnel sites-enabled file - put your ntlm_auth_pap stuff into that file.
server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user. } # server inner-tunnel
see. inner-tunnel. you arent dealing with the user properly
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry, I just c/p that line from other link
here is mine
exec ntlm_auth_pap { wait = yes input_pairs = request shell_excape = yes output = none program = "/usr/bin/ntlm_auth --request-nt-key --domain=EXCHANGE --username=%{mschap:User-Name} --password=%{User-Password}" }
should domain field be pre-windows 2000/NT name or fqdn? (domain.com)
Also, I didn't get you quite well, I am new to both linux and freeradius, should I set following
Auth-Type PAP { ntlm_auth_pap }
in authenticate section of /etc/freeradius/sites-enabled/inner-tunnel and /etc/freeradius/sites-available/inner-tunnel files?
No, authenticate should look like: Auth-Type PAP { pap } ntlm_auth_pap ... Ivan Kalik Kalik Informatika ISP
Yes, I reverted authenticate part to Auth-Type PAP { pap } On Fri, Jun 26, 2009 at 11:26, Ivan Kalik <tnt@kalik.net> wrote:
Sorry, I just c/p that line from other link
here is mine
exec ntlm_auth_pap { wait = yes input_pairs = request shell_excape = yes output = none program = "/usr/bin/ntlm_auth --request-nt-key --domain=EXCHANGE --username=%{mschap:User-Name} --password=%{User-Password}" }
should domain field be pre-windows 2000/NT name or fqdn? (domain.com)
Also, I didn't get you quite well, I am new to both linux and freeradius, should I set following
Auth-Type PAP { ntlm_auth_pap }
in authenticate section of /etc/freeradius/sites-enabled/inner-tunnel and /etc/freeradius/sites-available/inner-tunnel files?
No, authenticate should look like:
Auth-Type PAP { pap }
ntlm_auth_pap
...
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Jun 26, 2009 at 9:57 AM, Petar Marinkovic <highl1@gmail.com> wrote:
Sorry, I just c/p that line from other link
here is mine
exec ntlm_auth_pap { wait = yes input_pairs = request shell_excape = yes output = none program = "/usr/bin/ntlm_auth --request-nt-key --domain=EXCHANGE --username=%{mschap:User-Name} --password=%{User-Password}" }
should domain field be pre-windows 2000/NT name or fqdn? (domain.com)
You can use both the fqdn or the netbios name for the --domain Hope it helps. -- http://braceta.com Luís Azevedo
First, thanks Alan for your help, I managed to make it work with AD. Now I want to try to test to make EAP-TTLS with PAP to authenticate users in domain. I saw this link http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg004...
So I added following lines to modules section of radiusd.conf
exec ntlm_auth_pap { wait = yes input_pairs = request shell_escape = yes output = none
program = "/path/to/ntlm_auth --username=%{User-Name} --domain=EXCHANGE --password=%{User-Password}" }
and I edited /etc/freeradius/sites-available/default file and /etc/freeradius/sites-enabled/default, section authenticate to
Auth-Type PAP { ntlm_auth_pap }
Don't do that. One - it's a wrong virtual server and two - it's not going to work. Use the same technique as in the guide for pap requests. List ntlm_auth_pap in authenticate section of inner-tunnel virtual server (look at ttls section of eap.conf and you will see where will inner tunnel requests end up). Forcing Auth-Type in users file might break a few things so add this to authenticate section of inner-tunnel virtual server *after* pap instead: if(!control:Auth-Type) { update control { Auth-Type = ntlm_auth_pap } } That will set Auth-Type to ntlm_auth_pap for a pap inner tunnel request if password is nowhere to be found. Ivan Kalik Kalik Informatika ISP
In eap.conf, for eap-ttls there is a line virtual_server = "inner-tunnel" I put this part of your code in /etc/freeradius/sites-enabled/inner-tunnel and /etc/freeradius/sites-available/inner-tunnel files, like this Auth-Type PAP { pap } if(!control:Auth-Type) { update control { Auth-Type = ntlm_auth_pap } } and when I try to restart the server, I get following error: radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } /etc/freeradius/sites-enabled/inner-tunnel[186]: ERROR: Unknown value ntlm_auth_pap for attribute Auth-Type /etc/freeradius/sites-enabled/inner-tunnel[185]: Failed to parse "update" subsection. /etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. Errors initializing modules Sorry if I am asking stupid questions, but I am new to linux and freeradius, and this is all so confusing for me :) What I am doing wrong? On Fri, Jun 26, 2009 at 00:03, Ivan Kalik <tnt@kalik.net> wrote:
First, thanks Alan for your help, I managed to make it work with AD. Now I want to try to test to make EAP-TTLS with PAP to authenticate users in domain. I saw this link
http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg004...
So I added following lines to modules section of radiusd.conf
exec ntlm_auth_pap { wait = yes input_pairs = request shell_escape = yes output = none
program = "/path/to/ntlm_auth --username=%{User-Name}
--domain=EXCHANGE
--password=%{User-Password}" }
and I edited /etc/freeradius/sites-available/default file and /etc/freeradius/sites-enabled/default, section authenticate to
Auth-Type PAP { ntlm_auth_pap }
Don't do that. One - it's a wrong virtual server and two - it's not going to work. Use the same technique as in the guide for pap requests. List ntlm_auth_pap in authenticate section of inner-tunnel virtual server (look at ttls section of eap.conf and you will see where will inner tunnel requests end up). Forcing Auth-Type in users file might break a few things so add this to authenticate section of inner-tunnel virtual server *after* pap instead:
if(!control:Auth-Type) { update control { Auth-Type = ntlm_auth_pap } }
That will set Auth-Type to ntlm_auth_pap for a pap inner tunnel request if password is nowhere to be found.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Ivan Kalik -
Luis Azevedo -
Petar Marinkovic