EAP-TTLS (PAP) with Win2K3 domain not working
Ivan Kalik
tnt at kalik.net
Fri Jun 26 00:03:47 CEST 2009
> First, thanks Alan for your help, I managed to make it work with AD. Now I
> want to try to test to make EAP-TTLS with PAP to authenticate users in
> domain. I saw this link
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html
>
> So I added following lines to modules section of radiusd.conf
>
> exec ntlm_auth_pap {
> wait = yes
> input_pairs = request
> shell_escape = yes
> output = none
>
> program = "/path/to/ntlm_auth --username=%{User-Name} --domain=EXCHANGE
> --password=%{User-Password}"
> }
>
> and I edited /etc/freeradius/sites-available/default file and
> /etc/freeradius/sites-enabled/default, section authenticate to
>
> Auth-Type PAP
> {
> ntlm_auth_pap
> }
Don't do that. One - it's a wrong virtual server and two - it's not going
to work. Use the same technique as in the guide for pap requests. List
ntlm_auth_pap in authenticate section of inner-tunnel virtual server (look
at ttls section of eap.conf and you will see where will inner tunnel
requests end up). Forcing Auth-Type in users file might break a few things
so add this to authenticate section of inner-tunnel virtual server *after*
pap instead:
if(!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
That will set Auth-Type to ntlm_auth_pap for a pap inner tunnel request if
password is nowhere to be found.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list