EAP-TTLS w/PAP using ntlm_auth

Bram Matthys (Syzop) syzop at vulnscan.org
Thu May 29 13:31:59 CEST 2008

Alan DeKok wrote:
>   I don't think you got my point.  If you want to AUTHENTICATE using
> ntlm_auth_pap... then call it in the AUTHENTICATION section.  Calling it
>   You need to:
>   a) set Auth-Type = ntlm_auth_pap in the authorize{} section
>      which you are doing... sort of... using Auth-Type := PAP
>   b) have an "Auth-Type ntlm_auth_pap" subsection in the authenticate{}
>      section, which you are doing... sort of... using Auth-Type PAP. [..]

You're right. I'll be using a separate one from now on.

>> I then tried the following statements right before ntlm_auth_pap in 
>> >authorize (you said to check if Auth-Type exists, this is the correct way to 
>> >do that, right?):
>> >         if (!Control:Auth-Type) {
>> >                 update control {
>> >                         Auth-Type = ntlm_auth_pap
>> >                 }
>> >         }
> http://www.freeradius.org/radiusd/man/unlang.html

Ok, the syntax was correct, except it should have been control instead of 
Control.. which was the problem ;).

Now everything is working fine, both pap and eap-mschapv2.

Thanks all for your help!


More information about the Freeradius-Users mailing list