EAP-TTLS w/PAP using ntlm_auth

Ivan Kalik tnt at kalik.net
Wed May 28 20:30:23 CEST 2008


Use unlang to set Auth-Type PAP even if pap returns noop.

Ivan Kalik
Kalik Informatika ISP


Dana 28/5/2008, "Bram Matthys (Syzop)" <syzop at vulnscan.org> piše:

>While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like
>to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client
>software I use [securew2] does not save user credentials with mschap, and
>does save them with pap. And just to offer more options to other clients).
>Anyway, I tried to do it using these suggestions (after previously my own
>attempt failed):
>http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
>
>in radiusd.conf:
>         exec ntlm_auth_pap {
>                 wait = yes
>                 input_pairs = request
>                 shell_escape = yes
>                 output = none
>                 program = "/usr/bin/ntlm_auth --request-nt-key
>--domain=MYNET --username=%{User-Name} --password=%{User-Password}"
>         }
>
>then in sites-enabled/inner-tunnel:
>authenticate {
>         Auth-Type PAP {
>                 ntlm_auth_pap
>         }
>
>Actually I did the same in sites-enabled/default as well to see if it helps
>(didn't matter, of course).
>
>Just, for the record, pap is also in the authorize { } section, listed at
>the end in that block, as recommended.
>
>But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and
>to be honest I'm not even sure if pap is picking things up.
>
>I always end up with this:
>
>Wed May 28 15:16:08 2008 : Debug:   modsingle[authorize]: calling pap
>(rlm_pap) for request 5
>Wed May 28 15:16:08 2008 : Debug:   modsingle[authorize]: returned from pap
>(rlm_pap) for request 5
>Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop
>Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type)
>configuration found for the request: Rejecting the user
>Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user.
>Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from
>client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)
>
>
>I used this wpa supplicant config for testing with eapol_test:
>network={
>   ssid="mynet-test"
>   key_mgmt=WPA-EAP
>   eap=TTLS
>   pairwise=CCMP TKIP
>   group=CCMP TKIP WEP104 WEP40
>   phase2="auth=PAP"
>   identity="MYNET\myuser"
>   password="xxx"
>   anonymous_identity="anonymous at identity"
>}
>
>I first tried a different aproach, like putting ntlm_auth_pap in the
>authorize { } section before pap, and then radius *is* calling ntlm_auth,
>but then it just goes on and complains about not known the Auth-Type.
>Debug:   modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5
>Debug:       expand: --username=%{User-Name} -> --username=MYNET\myuser
>Debug:       expand: --password=%{User-Password} -> --password=xxx
>Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
>Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
>Debug: Exec-Program: returned: 0
>Debug:   modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for
>request 5
>Debug: ++[ntlm_auth_pap] returns ok
>Debug:   modsingle[authorize]: calling pap (rlm_pap) for request 5
>Debug:   modsingle[authorize]: returned from pap (rlm_pap) for request 5
>Debug: ++[pap] returns noop
>
>I've reverted that attempt before trying everything I mentioned earlier, though.
>
>Regards,
>
>	Bram.
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list