EAP-TTLS w/PAP using ntlm_auth

Bram Matthys (Syzop) syzop at vulnscan.org
Thu May 29 12:45:11 CEST 2008

Hi Alan,

Alan DeKok wrote:
> Bram Matthys (Syzop) wrote:
>> Thanks for the hint. What would be the best place and way to do this?
>> Putting this before pap in authorize { }:
>>             update control {
>>                     Auth-Type := PAP
>>             }
>> does indeed make pap work, but breaks anything else (like eap-mschap).
>   Use '='.  See "man unlang".  This IS documented.


>> Also, how come it is needed to force pap usage? I thought pap was
>> supposed to always be used when no other mod took care of it (fallthrough).
>   You don't.  You've managed to put the "ntml_auth_pap" program into the
> "pap" Auth-Type, for reasons I don't understand.  Why not just call it
> ntlm_auth_pap?  After all, they're *different*.  The do NOT do the same
> thing.

That's what I did first, because it makes sense and sounds logical, but
didn't get it working, as said in my original mail: it ran the program
succesfully but then simply went on with other mods and in the end
complaining about no auth-type being set.
Anyway, when that didn't work I then saw a message from you (also mentioned
in my original mail):
So I thought I'd give that a try.
Could be that your suggestion there is for another type of configuration,
but if that were the case then that wasn't clear to me.

>   The reason you need for force Auth-Type here is that the PAP module
> sets "Auth-Type = PAP" ONLY when BOTH of the following apply:
>   a) no other module has already set Auth-Type
>   b) there is a "known good" password in the control item list.
>   In your case, (b) isn't true.


> If you run the server in debugging
> mode, the pap module will TELL YOU that it is not setting Auth-Type to
> PAP, and it will say WHY it is doing this.
>   In your case, you are using the ntlm_auth_pap program as an
> "authentication oracle".  See:
> http://deployingradius.com/documents/protocols/oracles.html
>   It even lists "ntlm_auth" in the table.

Yup. Saw that page.



More information about the Freeradius-Users mailing list