EAP-TTLS (PAP) with Win2K3 domain not working

Petar Marinkovic highl1 at gmail.com
Fri Jun 26 10:57:57 CEST 2009


Sorry, I just c/p that line from other link

here is mine

exec ntlm_auth_pap {
        wait = yes
        input_pairs = request
        shell_excape = yes
        output = none
        program = "/usr/bin/ntlm_auth --request-nt-key --domain=EXCHANGE
--username=%{mschap:User-Name} --password=%{User-Password}"
    }

should domain field be pre-windows 2000/NT name or fqdn? (domain.com)

Also, I didn't get you quite well, I am new to both linux and freeradius,
should I set following

Auth-Type PAP
  {
  ntlm_auth_pap
  }

in authenticate section of /etc/freeradius/sites-enabled/inner-tunnel and
/etc/freeradius/sites-available/inner-tunnel files?

Thanks for all your help

On Thu, Jun 25, 2009 at 18:43, <A.L.M.Buxey at lboro.ac.uk> wrote:

> Hi,
>
> >  exec ntlm_auth_pap {
> >               wait = yes
> >               input_pairs = request
> >               shell_escape = yes
> >               output = none
> >
> >               program = "/path/to/ntlm_auth --username=%{User-Name}
> --domain=EXCHANGE --password=%{User-Password}"
>                           ^^^^^^^^^^^^
>
> i really do hope that you changed that bit to be the correct $PATH
> for your ntlm_auth command
>
> > and I edited /etc/freeradius/sites-available/default file and
> > /etc/freeradius/sites-enabled/default, section authenticate to
> >
> > Auth-Type PAP
> > {
> > ntlm_auth_pap
> > }
>
> no. this is TTLS, so this is going to occur in the inner-tunnel
> unless you've really cooked up your config is some wierd way.
> a default install will use the inner-tunnel sites-enabled file
> - put your ntlm_auth_pap stuff into that file.
>
> > server inner-tunnel {
> > +- entering group authorize {...}
> > ++[chap] returns noop
> > ++[mschap] returns noop
> > ++[unix] returns notfound
> > [suffix] No '@' in User-Name = "testuser", looking up realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] returns noop
> > ++[control] returns noop
> > [eap] No EAP-Message, not doing EAP
> > ++[eap] returns noop
> > ++[files] returns noop
> > ++[expiration] returns noop
> > ++[logintime] returns noop
> > ++[pap] returns noop
> > No authenticate method (Auth-Type) configuration found for the
> > request: Rejecting the user
> >
> > Failed to authenticate the user.
> > } # server inner-tunnel
>
> see. inner-tunnel. you arent dealing with the user properly
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090626/526a5839/attachment.html>


More information about the Freeradius-Users mailing list