EAP-TTLS w/PAP using ntlm_auth
Bram Matthys (Syzop)
syzop at vulnscan.org
Thu May 29 13:04:10 CEST 2008
Ok... I took Alan's advise of taking it out of pap, my config is now:
authenticate {
..
ntlm_auth_pap
and
authorize {
..(near the end)..
ntlm_auth_pap
I then tried the following statements right before ntlm_auth_pap in
authorize (you said to check if Auth-Type exists, this is the correct way to
do that, right?):
if (!Control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
this results in:
Thu May 29 13:01:47 2008 : Debug: ++? if (!Control:Auth-Type)
Thu May 29 13:01:47 2008 : Debug: ? Evaluating !(Control:Auth-Type) -> TRUE
Thu May 29 13:01:47 2008 : Debug: ++? if (!Control:Auth-Type) -> FALSE
and I tried this:
if (Control:Auth-Type == "") {
update control {
Auth-Type = ntlm_auth_pap
}
}
which resulted in:
Thu May 29 13:04:45 2008 : Debug: ++[logintime] returns noop
Thu May 29 13:04:45 2008 : Debug: ++? if (Control:Auth-Type == "")
Thu May 29 13:04:45 2008 : Debug: ? Evaluating (Control:Auth-Type == "") ->
FALSE
Thu May 29 13:04:45 2008 : Debug: ++? if (Control:Auth-Type == "") -> FALSE
Now, for the record, this is what I now get.. a bit more verbose:
Thu May 29 13:05:27 2008 : Debug: ++? if (!Control:Auth-Type)
Thu May 29 13:05:27 2008 : Debug: ? Evaluating !(Control:Auth-Type) -> TRUE
Thu May 29 13:05:27 2008 : Debug: ++? if (!Control:Auth-Type) -> FALSE
Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: calling
ntlm_auth_pap (rlm_exec) for request 5
Thu May 29 13:05:27 2008 : Debug: expand: --username=%{User-Name} ->
--username=MYNET\myuser
Thu May 29 13:05:27 2008 : Debug: expand: --password=%{User-Password}
-> --password=xxx
Thu May 29 13:05:27 2008 : Debug: Exec-Program output: NT_STATUS_OK: Success
(0x0)
Thu May 29 13:05:27 2008 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Thu May 29 13:05:27 2008 : Debug: Exec-Program: returned: 0
Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: returned from
ntlm_auth_pap (rlm_exec) for request 5
Thu May 29 13:05:27 2008 : Debug: ++[ntlm_auth_pap] returns ok
Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: calling pap
(rlm_pap) for request 5
Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: returned from pap
(rlm_pap) for request 5
Thu May 29 13:05:27 2008 : Debug: ++[pap] returns noop
Thu May 29 13:05:27 2008 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Thu May 29 13:05:27 2008 : Debug: auth: Failed to validate the user.
Thanks for your time / Regards,
Bram.
PS: I also tried 'if (!(Control:Auth-Type))' just in case, but same problem.
Ivan Kalik wrote:
> = not :=. Or check if Auth-Type already exists.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 29/5/2008, "Bram Matthys (Syzop)" <syzop at vulnscan.org> piše:
>
>> Thanks for the hint. What would be the best place and way to do this?
>>
>> Putting this before pap in authorize { }:
>> update control {
>> Auth-Type := PAP
>> }
>> does indeed make pap work, but breaks anything else (like eap-mschap).
>>
>> I also tried:
>> if (Control:Auth-Type == "") {
>> update control {
>> Auth-Type := PAP
>> }
>> }
>> and:
>> if (!Control:Auth-Type) {
>> update control {
>> Auth-Type := PAP
>> }
>> }
>> but they don't match.
>>
>> Also, how come it is needed to force pap usage? I thought pap was supposed
>> to always be used when no other mod took care of it (fallthrough).
>>
>> Regards,
>>
>> Bram.
>>
>> Ivan Kalik wrote:
>>> Use unlang to set Auth-Type PAP even if pap returns noop.
>>>
>>> Ivan Kalik
>>> Kalik Informatika ISP
>>>
>>>
>>> Dana 28/5/2008, "Bram Matthys (Syzop)" <syzop at vulnscan.org> piše:
>>>
>>>> While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like
>>>> to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client
>>>> software I use [securew2] does not save user credentials with mschap, and
>>>> does save them with pap. And just to offer more options to other clients).
>>>> Anyway, I tried to do it using these suggestions (after previously my own
>>>> attempt failed):
>>>> http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
>>>>
>>>> in radiusd.conf:
>>>> exec ntlm_auth_pap {
>>>> wait = yes
>>>> input_pairs = request
>>>> shell_escape = yes
>>>> output = none
>>>> program = "/usr/bin/ntlm_auth --request-nt-key
>>>> --domain=MYNET --username=%{User-Name} --password=%{User-Password}"
>>>> }
>>>>
>>>> then in sites-enabled/inner-tunnel:
>>>> authenticate {
>>>> Auth-Type PAP {
>>>> ntlm_auth_pap
>>>> }
>>>>
>>>> Actually I did the same in sites-enabled/default as well to see if it helps
>>>> (didn't matter, of course).
>>>>
>>>> Just, for the record, pap is also in the authorize { } section, listed at
>>>> the end in that block, as recommended.
>>>>
>>>> But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and
>>>> to be honest I'm not even sure if pap is picking things up.
>>>>
>>>> I always end up with this:
>>>>
>>>> Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: calling pap
>>>> (rlm_pap) for request 5
>>>> Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: returned from pap
>>>> (rlm_pap) for request 5
>>>> Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop
>>>> Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type)
>>>> configuration found for the request: Rejecting the user
>>>> Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user.
>>>> Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from
>>>> client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)
>>>>
>>>>
>>>> I used this wpa supplicant config for testing with eapol_test:
>>>> network={
>>>> ssid="mynet-test"
>>>> key_mgmt=WPA-EAP
>>>> eap=TTLS
>>>> pairwise=CCMP TKIP
>>>> group=CCMP TKIP WEP104 WEP40
>>>> phase2="auth=PAP"
>>>> identity="MYNET\myuser"
>>>> password="xxx"
>>>> anonymous_identity="anonymous at identity"
>>>> }
>>>>
>>>> I first tried a different aproach, like putting ntlm_auth_pap in the
>>>> authorize { } section before pap, and then radius *is* calling ntlm_auth,
>>>> but then it just goes on and complains about not known the Auth-Type.
>>>> Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5
>>>> Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser
>>>> Debug: expand: --password=%{User-Password} -> --password=xxx
>>>> Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
>>>> Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
>>>> Debug: Exec-Program: returned: 0
>>>> Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for
>>>> request 5
>>>> Debug: ++[ntlm_auth_pap] returns ok
>>>> Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5
>>>> Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5
>>>> Debug: ++[pap] returns noop
>>>>
>>>> I've reverted that attempt before trying everything I mentioned earlier, though.
>>>>
>>>> Regards,
>>>>
>>>> Bram.
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list