EAP-TTLS + PAP with external script

Dario Maccari d_maccari at hotmail.com
Thu May 15 16:20:33 CEST 2008 


> > authorize {
> >         preprocess
> >         suffix
> >         eap
> >         pap
> >         papauth
> > }
> 
> pap really should go at the end - i believe the default
> config mentions this...with maybe exclaimation marks or
> capital letters?
> 
> alan

How is this supposed to help me in any way to configure FR to do PAP authentication?
Accordingly to documentation, PAP should be listed last in authorize section becouse need to check passwords added by previous modules and normalize them.
In my case none previus modules (preprocess, suffix, eap) gives any known good password (and this is intended since i don't want the RADIUS server to "know" the real user password) su pap just give back NOOP.
I can even comment out pap in authorize section since just respond noop in any case.

Here are the log from radiusd -X in any case

**************** radiusd -X  with pap and not papauth ******************
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 9
modcall: leaving group authorize (returns ok) for request 9
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
**************************************************************

Since eap is over (final step of ttls) and no modules are adding a "known good" password for the user, pap respond noop and there is no Auth-Type configured.

**************** radiusd -X  with pap after papauth ******************
Exec-Program output: Auth-Type = PAP
Exec-Program-Wait: value-pairs: Auth-Type = PAP
Exec-Program: returned: 0
  modcall[authorize]: module "papauth" returns ok for request 4
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 4
rad_check_password:  Found Auth-Type PAP
auth: type "PAP"
************************************************************

The script set the Auth-Type and pap just answer noop.



**************** radiusd -X  with pap before papauth ******************
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 9
Exec-Program output: Auth-Type = PAP
Exec-Program-Wait: value-pairs: Auth-Type = PAP
Exec-Program: returned: 0
  modcall[authorize]: module "papauth" returns ok for request 9
modcall: leaving group authorize (returns ok) for request 9
  rad_check_password:  Found Auth-Type PAP
auth: type "PAP"
**************************************************************

Pap still answer with noop and do not set the Auth-Type but the script do the job setting the Auth-Type and letting the second script check the credentials.

**************** radiusd -X  without pap in authorize ******************
Exec-Program output: Auth-Type = PAP
Exec-Program-Wait: value-pairs: Auth-Type = PAP
Exec-Program: returned: 0
  modcall[authorize]: module "papauth" returns ok for request 9
modcall: leaving group authorize (returns ok) for request 9
  rad_check_password:  Found Auth-Type PAP
auth: type "PAP"
************************************************************

My question is which is the best way to correctly accomplish pap authentication WITHOUT using authorization checks.

My solution was to "force" Auth-Type to PAP in case we have username and password in radius attributes.
Another way is, i think, using a users file with "DEFAULT Auth-Type = PAP" but i read in many place NOT TO DO THAT.
Another way could be to check if is present the Auth-Type and set it to PAP if os not set and list that script as last on authorize section.

Which is the best solution?

Btw, in config i see:
******************* radiusd.conf *************        
# As of 1.1.4, you should list "pap" last in this section.
# See "man rlm_pap" for more information.
*****************************************
So no exclamations and capitals, just a "should".
And i do read the man page to understand a little more about what i was going to do.

Thanks in advance

Bye

Maccari Dario

_________________________________________________________________
Discover the new Windows Vista
http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080515/afb13f90/attachment.html>

More information about the Freeradius-Users mailing list