EAP-TTLS w/PAP using ntlm_auth
Bram Matthys (Syzop)
syzop at vulnscan.org
Thu May 29 13:31:59 CEST 2008
Alan DeKok wrote:
> I don't think you got my point. If you want to AUTHENTICATE using
> ntlm_auth_pap... then call it in the AUTHENTICATION section. Calling it
> in the AUTHORIZATION section is not AUTHENTICATION.
>
> You need to:
>
> a) set Auth-Type = ntlm_auth_pap in the authorize{} section
> which you are doing... sort of... using Auth-Type := PAP
> b) have an "Auth-Type ntlm_auth_pap" subsection in the authenticate{}
> section, which you are doing... sort of... using Auth-Type PAP. [..]
You're right. I'll be using a separate one from now on.
>> I then tried the following statements right before ntlm_auth_pap in
>> >authorize (you said to check if Auth-Type exists, this is the correct way to
>> >do that, right?):
>> > if (!Control:Auth-Type) {
>> > update control {
>> > Auth-Type = ntlm_auth_pap
>> > }
>> > }
>
> http://www.freeradius.org/radiusd/man/unlang.html
Ok, the syntax was correct, except it should have been control instead of
Control.. which was the problem ;).
Now everything is working fine, both pap and eap-mschapv2.
Thanks all for your help!
Bram.
More information about the Freeradius-Users
mailing list