EAP-TTLS w/PAP using ntlm_auth

Bram Matthys (Syzop) syzop at vulnscan.org
Wed May 28 15:29:14 CEST 2008 

While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like 
to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client
software I use [securew2] does not save user credentials with mschap, and
does save them with pap. And just to offer more options to other clients).
Anyway, I tried to do it using these suggestions (after previously my own
attempt failed):
http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html

in radiusd.conf:
         exec ntlm_auth_pap {
                 wait = yes
                 input_pairs = request
                 shell_escape = yes
                 output = none
                 program = "/usr/bin/ntlm_auth --request-nt-key
--domain=MYNET --username=%{User-Name} --password=%{User-Password}"
         }

then in sites-enabled/inner-tunnel:
authenticate {
         Auth-Type PAP {
                 ntlm_auth_pap
         }

Actually I did the same in sites-enabled/default as well to see if it helps
(didn't matter, of course).

Just, for the record, pap is also in the authorize { } section, listed at
the end in that block, as recommended.

But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and
to be honest I'm not even sure if pap is picking things up.

I always end up with this:

Wed May 28 15:16:08 2008 : Debug:   modsingle[authorize]: calling pap
(rlm_pap) for request 5
Wed May 28 15:16:08 2008 : Debug:   modsingle[authorize]: returned from pap
(rlm_pap) for request 5
Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop
Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user.
Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from
client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)


I used this wpa supplicant config for testing with eapol_test:
network={
   ssid="mynet-test"
   key_mgmt=WPA-EAP
   eap=TTLS
   pairwise=CCMP TKIP
   group=CCMP TKIP WEP104 WEP40
   phase2="auth=PAP"
   identity="MYNET\myuser"
   password="xxx"
   anonymous_identity="anonymous at identity"
}

I first tried a different aproach, like putting ntlm_auth_pap in the
authorize { } section before pap, and then radius *is* calling ntlm_auth,
but then it just goes on and complains about not known the Auth-Type.
Debug:   modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5
Debug:       expand: --username=%{User-Name} -> --username=MYNET\myuser
Debug:       expand: --password=%{User-Password} -> --password=xxx
Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Debug: Exec-Program: returned: 0
Debug:   modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for 
request 5
Debug: ++[ntlm_auth_pap] returns ok
Debug:   modsingle[authorize]: calling pap (rlm_pap) for request 5
Debug:   modsingle[authorize]: returned from pap (rlm_pap) for request 5
Debug: ++[pap] returns noop

I've reverted that attempt before trying everything I mentioned earlier, though.

Regards,

	Bram.

More information about the Freeradius-Users mailing list