EAP-TTLS + PAP with external script

Alan DeKok aland at deployingradius.com
Thu May 15 17:17:20 CEST 2008

Dario Maccari wrote:
> How is this supposed to help me in any way to configure FR to do PAP
> authentication?

  If you are configured the *server* to do PAP authentication, then the
default configuration files should be used.  Your module (exec/whatever)
should supply a "known good" password.  The server then uses that to
authenticate the user.

  If *your module* is doing PAP authentication, then you need to list
*your module* in the "authenticate" section.  You need to force
Auth-Type to be *your module*.  And all other authentication types will

> Accordingly to documentation, PAP should be listed last in authorize
> section becouse need to check passwords added by previous modules and
> normalize them.


> In my case none previus modules (preprocess, suffix, eap) gives any
> known good password (and this is intended since i don't want the RADIUS
> server to "know" the real user password) su pap just give back NOOP.

  Then your module needs to do the authentication.  Any why do you care
if the server knows the password?  Is it for "security"?

  Are you aware that for TTLS + PAP, if your external script returns
"authenticated", the server *knows* that the PAP password is correct?
So why not simplify your life, and give the server the real user password?

> Here are the log from radiusd -X in any case
> **************** radiusd -X  with pap and not papauth ******************
> rlm_pap: WARNING! No "known good" password found for the user. 
> Authentication may fail because of this.
>   modcall[authorize]: module "pap" returns noop for request 9
> modcall: leaving group authorize (returns ok) for request 9
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user

  i.e. you haven't told the server what the "known good" password is,
and you haven't told the server how to authenticate the user.

> The script set the Auth-Type and pap just answer noop.

  Huh?  You're setting Auth-Type to PAP in your script?  Do you expect
the PAP module to m

  I've deleted the other attempts at "let's make random changes to see
if it works".

  Stop making changes until you understand how the server works.  Start
with the default configuration, and then do this in the "inner-tunnel"
virtual server.  (i.e. also use 2.0.4)

authorize {

	update control {
		Cleartext-Password := `/path/to/script %{User-Name}`

  The script should use the username to look up the "known good"
password, and then print it to STDOUT.  e.g. "echo hello" would be a
good start.

  EAP-TTLS + PAP will then WORK.  And YES, you will be giving the server
the "real user password".  This is NOT a problem.  If you think it's a
problem, then you need to change your opinion.  It's NOT a problem.

  Alan Dekok.

More information about the Freeradius-Users mailing list