EAP-TTLS w/PAP using ntlm_auth

Bram Matthys (Syzop) syzop at vulnscan.org
Thu May 29 11:47:45 CEST 2008


Thanks for the hint. What would be the best place and way to do this?

Putting this before pap in authorize { }:
             update control {
                     Auth-Type := PAP
             }
does indeed make pap work, but breaks anything else (like eap-mschap).

I also tried:
         if (Control:Auth-Type == "") {
                 update control {
                         Auth-Type := PAP
                 }
         }
and:
         if (!Control:Auth-Type) {
                 update control {
                         Auth-Type := PAP
                 }
         }
but they don't match.

Also, how come it is needed to force pap usage? I thought pap was supposed 
to always be used when no other mod took care of it (fallthrough).

Regards,

	Bram.

Ivan Kalik wrote:
> Use unlang to set Auth-Type PAP even if pap returns noop.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> Dana 28/5/2008, "Bram Matthys (Syzop)" <syzop at vulnscan.org> piše:
> 
>> While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like
>> to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client
>> software I use [securew2] does not save user credentials with mschap, and
>> does save them with pap. And just to offer more options to other clients).
>> Anyway, I tried to do it using these suggestions (after previously my own
>> attempt failed):
>> http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
>>
>> in radiusd.conf:
>>         exec ntlm_auth_pap {
>>                 wait = yes
>>                 input_pairs = request
>>                 shell_escape = yes
>>                 output = none
>>                 program = "/usr/bin/ntlm_auth --request-nt-key
>> --domain=MYNET --username=%{User-Name} --password=%{User-Password}"
>>         }
>>
>> then in sites-enabled/inner-tunnel:
>> authenticate {
>>         Auth-Type PAP {
>>                 ntlm_auth_pap
>>         }
>>
>> Actually I did the same in sites-enabled/default as well to see if it helps
>> (didn't matter, of course).
>>
>> Just, for the record, pap is also in the authorize { } section, listed at
>> the end in that block, as recommended.
>>
>> But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and
>> to be honest I'm not even sure if pap is picking things up.
>>
>> I always end up with this:
>>
>> Wed May 28 15:16:08 2008 : Debug:   modsingle[authorize]: calling pap
>> (rlm_pap) for request 5
>> Wed May 28 15:16:08 2008 : Debug:   modsingle[authorize]: returned from pap
>> (rlm_pap) for request 5
>> Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop
>> Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type)
>> configuration found for the request: Rejecting the user
>> Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user.
>> Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from
>> client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)
>>
>>
>> I used this wpa supplicant config for testing with eapol_test:
>> network={
>>   ssid="mynet-test"
>>   key_mgmt=WPA-EAP
>>   eap=TTLS
>>   pairwise=CCMP TKIP
>>   group=CCMP TKIP WEP104 WEP40
>>   phase2="auth=PAP"
>>   identity="MYNET\myuser"
>>   password="xxx"
>>   anonymous_identity="anonymous at identity"
>> }
>>
>> I first tried a different aproach, like putting ntlm_auth_pap in the
>> authorize { } section before pap, and then radius *is* calling ntlm_auth,
>> but then it just goes on and complains about not known the Auth-Type.
>> Debug:   modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5
>> Debug:       expand: --username=%{User-Name} -> --username=MYNET\myuser
>> Debug:       expand: --password=%{User-Password} -> --password=xxx
>> Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
>> Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
>> Debug: Exec-Program: returned: 0
>> Debug:   modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for
>> request 5
>> Debug: ++[ntlm_auth_pap] returns ok
>> Debug:   modsingle[authorize]: calling pap (rlm_pap) for request 5
>> Debug:   modsingle[authorize]: returned from pap (rlm_pap) for request 5
>> Debug: ++[pap] returns noop
>>
>> I've reverted that attempt before trying everything I mentioned earlier, though.
>>
>> Regards,
>>
>> 	Bram.





More information about the Freeradius-Users mailing list