EAP-TTLS w/PAP using ntlm_auth

Alan DeKok aland at deployingradius.com
Thu May 29 12:21:19 CEST 2008

Bram Matthys (Syzop) wrote:
> Thanks for the hint. What would be the best place and way to do this?
> Putting this before pap in authorize { }:
>             update control {
>                     Auth-Type := PAP
>             }
> does indeed make pap work, but breaks anything else (like eap-mschap).

  Use '='.  See "man unlang".  This IS documented.

> Also, how come it is needed to force pap usage? I thought pap was
> supposed to always be used when no other mod took care of it (fallthrough).

  You don't.  You've managed to put the "ntml_auth_pap" program into the
"pap" Auth-Type, for reasons I don't understand.  Why not just call it
ntlm_auth_pap?  After all, they're *different*.  The do NOT do the same

  The reason you need for force Auth-Type here is that the PAP module
sets "Auth-Type = PAP" ONLY when BOTH of the following apply:

  a) no other module has already set Auth-Type
  b) there is a "known good" password in the control item list.

  In your case, (b) isn't true.  If you run the server in debugging
mode, the pap module will TELL YOU that it is not setting Auth-Type to
PAP, and it will say WHY it is doing this.

  In your case, you are using the ntlm_auth_pap program as an
"authentication oracle".  See:


  It even lists "ntlm_auth" in the table.

  Alan DeKok.

More information about the Freeradius-Users mailing list