EAP-TTLS w/PAP using ntlm_auth
Bram Matthys (Syzop)
syzop at vulnscan.org
Wed May 28 15:29:14 CEST 2008
While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like
to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client
software I use [securew2] does not save user credentials with mschap, and
does save them with pap. And just to offer more options to other clients).
Anyway, I tried to do it using these suggestions (after previously my own
attempt failed):
http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
in radiusd.conf:
exec ntlm_auth_pap {
wait = yes
input_pairs = request
shell_escape = yes
output = none
program = "/usr/bin/ntlm_auth --request-nt-key
--domain=MYNET --username=%{User-Name} --password=%{User-Password}"
}
then in sites-enabled/inner-tunnel:
authenticate {
Auth-Type PAP {
ntlm_auth_pap
}
Actually I did the same in sites-enabled/default as well to see if it helps
(didn't matter, of course).
Just, for the record, pap is also in the authorize { } section, listed at
the end in that block, as recommended.
But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and
to be honest I'm not even sure if pap is picking things up.
I always end up with this:
Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: calling pap
(rlm_pap) for request 5
Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: returned from pap
(rlm_pap) for request 5
Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop
Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user.
Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from
client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)
I used this wpa supplicant config for testing with eapol_test:
network={
ssid="mynet-test"
key_mgmt=WPA-EAP
eap=TTLS
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
phase2="auth=PAP"
identity="MYNET\myuser"
password="xxx"
anonymous_identity="anonymous at identity"
}
I first tried a different aproach, like putting ntlm_auth_pap in the
authorize { } section before pap, and then radius *is* calling ntlm_auth,
but then it just goes on and complains about not known the Auth-Type.
Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5
Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser
Debug: expand: --password=%{User-Password} -> --password=xxx
Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Debug: Exec-Program: returned: 0
Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for
request 5
Debug: ++[ntlm_auth_pap] returns ok
Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5
Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5
Debug: ++[pap] returns noop
I've reverted that attempt before trying everything I mentioned earlier, though.
Regards,
Bram.
More information about the Freeradius-Users
mailing list