EAP-TTLS w/PAP using ntlm_auth

Ivan Kalik tnt at kalik.net
Thu May 29 11:55:46 CEST 2008 

= not :=. Or check if Auth-Type already exists.

Ivan Kalik
Kalik Informatika ISP


Dana 29/5/2008, "Bram Matthys (Syzop)" <syzop at vulnscan.org> piše:

>Thanks for the hint. What would be the best place and way to do this?
>
>Putting this before pap in authorize { }:
>             update control {
>                     Auth-Type := PAP
>             }
>does indeed make pap work, but breaks anything else (like eap-mschap).
>
>I also tried:
>         if (Control:Auth-Type == "") {
>                 update control {
>                         Auth-Type := PAP
>                 }
>         }
>and:
>         if (!Control:Auth-Type) {
>                 update control {
>                         Auth-Type := PAP
>                 }
>         }
>but they don't match.
>
>Also, how come it is needed to force pap usage? I thought pap was supposed 
>to always be used when no other mod took care of it (fallthrough).
>
>Regards,
>
>	Bram.
>
>Ivan Kalik wrote:
>> Use unlang to set Auth-Type PAP even if pap returns noop.
>> 
>> Ivan Kalik
>> Kalik Informatika ISP
>> 
>> 
>> Dana 28/5/2008, "Bram Matthys (Syzop)" <syzop at vulnscan.org> piše:
>> 
>>> While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like
>>> to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client
>>> software I use [securew2] does not save user credentials with mschap, and
>>> does save them with pap. And just to offer more options to other clients).
>>> Anyway, I tried to do it using these suggestions (after previously my own
>>> attempt failed):
>>> http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
>>>
>>> in radiusd.conf:
>>>         exec ntlm_auth_pap {
>>>                 wait = yes
>>>                 input_pairs = request
>>>                 shell_escape = yes
>>>                 output = none
>>>                 program = "/usr/bin/ntlm_auth --request-nt-key
>>> --domain=MYNET --username=%{User-Name} --password=%{User-Password}"
>>>         }
>>>
>>> then in sites-enabled/inner-tunnel:
>>> authenticate {
>>>         Auth-Type PAP {
>>>                 ntlm_auth_pap
>>>         }
>>>
>>> Actually I did the same in sites-enabled/default as well to see if it helps
>>> (didn't matter, of course).
>>>
>>> Just, for the record, pap is also in the authorize { } section, listed at
>>> the end in that block, as recommended.
>>>
>>> But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and
>>> to be honest I'm not even sure if pap is picking things up.
>>>
>>> I always end up with this:
>>>
>>> Wed May 28 15:16:08 2008 : Debug:   modsingle[authorize]: calling pap
>>> (rlm_pap) for request 5
>>> Wed May 28 15:16:08 2008 : Debug:   modsingle[authorize]: returned from pap
>>> (rlm_pap) for request 5
>>> Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop
>>> Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type)
>>> configuration found for the request: Rejecting the user
>>> Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user.
>>> Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from
>>> client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)
>>>
>>>
>>> I used this wpa supplicant config for testing with eapol_test:
>>> network={
>>>   ssid="mynet-test"
>>>   key_mgmt=WPA-EAP
>>>   eap=TTLS
>>>   pairwise=CCMP TKIP
>>>   group=CCMP TKIP WEP104 WEP40
>>>   phase2="auth=PAP"
>>>   identity="MYNET\myuser"
>>>   password="xxx"
>>>   anonymous_identity="anonymous at identity"
>>> }
>>>
>>> I first tried a different aproach, like putting ntlm_auth_pap in the
>>> authorize { } section before pap, and then radius *is* calling ntlm_auth,
>>> but then it just goes on and complains about not known the Auth-Type.
>>> Debug:   modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5
>>> Debug:       expand: --username=%{User-Name} -> --username=MYNET\myuser
>>> Debug:       expand: --password=%{User-Password} -> --password=xxx
>>> Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
>>> Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
>>> Debug: Exec-Program: returned: 0
>>> Debug:   modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for
>>> request 5
>>> Debug: ++[ntlm_auth_pap] returns ok
>>> Debug:   modsingle[authorize]: calling pap (rlm_pap) for request 5
>>> Debug:   modsingle[authorize]: returned from pap (rlm_pap) for request 5
>>> Debug: ++[pap] returns noop
>>>
>>> I've reverted that attempt before trying everything I mentioned earlier, though.
>>>
>>> Regards,
>>>
>>> 	Bram.
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list