EAP-TTLS w/PAP using ntlm_auth
Bram Matthys (Syzop)
syzop at vulnscan.org
Thu May 29 12:45:11 CEST 2008
Hi Alan,
Alan DeKok wrote:
> Bram Matthys (Syzop) wrote:
>> Thanks for the hint. What would be the best place and way to do this?
>>
>> Putting this before pap in authorize { }:
>> update control {
>> Auth-Type := PAP
>> }
>> does indeed make pap work, but breaks anything else (like eap-mschap).
>
> Use '='. See "man unlang". This IS documented.
Right.
>> Also, how come it is needed to force pap usage? I thought pap was
>> supposed to always be used when no other mod took care of it (fallthrough).
>
> You don't. You've managed to put the "ntml_auth_pap" program into the
> "pap" Auth-Type, for reasons I don't understand. Why not just call it
> ntlm_auth_pap? After all, they're *different*. The do NOT do the same
> thing.
That's what I did first, because it makes sense and sounds logical, but
didn't get it working, as said in my original mail: it ran the program
succesfully but then simply went on with other mods and in the end
complaining about no auth-type being set.
Anyway, when that didn't work I then saw a message from you (also mentioned
in my original mail):
http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
So I thought I'd give that a try.
Could be that your suggestion there is for another type of configuration,
but if that were the case then that wasn't clear to me.
> The reason you need for force Auth-Type here is that the PAP module
> sets "Auth-Type = PAP" ONLY when BOTH of the following apply:
>
> a) no other module has already set Auth-Type
> b) there is a "known good" password in the control item list.
>
> In your case, (b) isn't true.
Correct.
> If you run the server in debugging
> mode, the pap module will TELL YOU that it is not setting Auth-Type to
> PAP, and it will say WHY it is doing this.
>
> In your case, you are using the ntlm_auth_pap program as an
> "authentication oracle". See:
>
> http://deployingradius.com/documents/protocols/oracles.html
>
> It even lists "ntlm_auth" in the table.
Yup. Saw that page.
Regards,
Bram.
More information about the Freeradius-Users
mailing list