EAP-TTLS w/PAP using ntlm_auth

Alan DeKok aland at deployingradius.com
Thu May 29 13:02:31 CEST 2008

Bram Matthys (Syzop) wrote:
>>   You don't.  You've managed to put the "ntml_auth_pap" program into the
>> "pap" Auth-Type, for reasons I don't understand.  Why not just call it
>> ntlm_auth_pap?  After all, they're *different*.  The do NOT do the same
>> thing.
> That's what I did first, because it makes sense and sounds logical, but
> didn't get it working, as said in my original mail: it ran the program
> succesfully but then simply went on with other mods and in the end
> complaining about no auth-type being set.

  I don't think you got my point.  If you want to AUTHENTICATE using
ntlm_auth_pap... then call it in the AUTHENTICATION section.  Calling it

  You need to:

  a) set Auth-Type = ntlm_auth_pap in the authorize{} section
     which you are doing... sort of... using Auth-Type := PAP
  b) have an "Auth-Type ntlm_auth_pap" subsection in the authenticate{}
     section, which you are doing... sort of... using Auth-Type PAP.

> Could be that your suggestion there is for another type of configuration,
> but if that were the case then that wasn't clear to me.

  Yes.  Don't mangle the existing configuration.  PAP is for PAP.  If
you want a different Auth-Type, give it a different name.  There is
nothing magic about the PAP name.  You don't have to put all custom
authentication modules into the PAP subsection of the authenticate section.

  Alan DeKok.

More information about the Freeradius-Users mailing list