EAP-TTLS w/PAP using ntlm_auth

Alan DeKok aland at deployingradius.com
Thu May 29 12:21:19 CEST 2008


Bram Matthys (Syzop) wrote:
> Thanks for the hint. What would be the best place and way to do this?
> 
> Putting this before pap in authorize { }:
>             update control {
>                     Auth-Type := PAP
>             }
> does indeed make pap work, but breaks anything else (like eap-mschap).

  Use '='.  See "man unlang".  This IS documented.

> Also, how come it is needed to force pap usage? I thought pap was
> supposed to always be used when no other mod took care of it (fallthrough).

  You don't.  You've managed to put the "ntml_auth_pap" program into the
"pap" Auth-Type, for reasons I don't understand.  Why not just call it
ntlm_auth_pap?  After all, they're *different*.  The do NOT do the same
thing.

  The reason you need for force Auth-Type here is that the PAP module
sets "Auth-Type = PAP" ONLY when BOTH of the following apply:

  a) no other module has already set Auth-Type
  b) there is a "known good" password in the control item list.

  In your case, (b) isn't true.  If you run the server in debugging
mode, the pap module will TELL YOU that it is not setting Auth-Type to
PAP, and it will say WHY it is doing this.

  In your case, you are using the ntlm_auth_pap program as an
"authentication oracle".  See:

http://deployingradius.com/documents/protocols/oracles.html

  It even lists "ntlm_auth" in the table.

  Alan DeKok.



More information about the Freeradius-Users mailing list