EAP-TTLS (PAP) with Win2K3 domain not working

Petar Marinkovic highl1 at gmail.com
Fri Jun 26 11:05:20 CEST 2009


In eap.conf, for eap-ttls there is a line

virtual_server = "inner-tunnel"

I put this part of your code in /etc/freeradius/sites-enabled/inner-tunnel
and /etc/freeradius/sites-available/inner-tunnel files, like this

Auth-Type PAP
{
      pap
}

if(!control:Auth-Type) {
    update control {
         Auth-Type = ntlm_auth_pap
    }
}

and when I try to restart the server, I get following error:

radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
    encryption_scheme = "auto"
    auto_header = no
  }
/etc/freeradius/sites-enabled/inner-tunnel[186]: ERROR: Unknown value
ntlm_auth_pap for attribute Auth-Type

/etc/freeradius/sites-enabled/inner-tunnel[185]: Failed to parse
"update" subsection.

/etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing
authenticate section.

Errors initializing modules

Sorry if I am asking stupid questions, but I am new to linux and freeradius,
and this is all so confusing for me :) What I am doing wrong?


On Fri, Jun 26, 2009 at 00:03, Ivan Kalik <tnt at kalik.net> wrote:

> > First, thanks Alan for your help, I managed to make it work with AD. Now
> I
> > want to try to test to make EAP-TTLS with PAP to authenticate users in
> > domain. I saw this link
> >
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html
> >
> > So I added following lines to modules section of radiusd.conf
> >
> >  exec ntlm_auth_pap {
> >               wait = yes
> >               input_pairs = request
> >               shell_escape = yes
> >               output = none
> >
> >               program = "/path/to/ntlm_auth --username=%{User-Name}
> --domain=EXCHANGE
> > --password=%{User-Password}"
> >   }
> >
> > and I edited /etc/freeradius/sites-available/default file and
> > /etc/freeradius/sites-enabled/default, section authenticate to
> >
> > Auth-Type PAP
> > {
> > ntlm_auth_pap
> > }
>
> Don't do that. One - it's a wrong virtual server and two - it's not going
> to work. Use the same technique as in the guide for pap requests. List
> ntlm_auth_pap in authenticate section of inner-tunnel virtual server (look
> at ttls section of eap.conf and you will see where will inner tunnel
> requests end up). Forcing Auth-Type in users file might break a few things
> so add this to authenticate section of inner-tunnel virtual server *after*
> pap instead:
>
> if(!control:Auth-Type) {
>     update control {
>          Auth-Type = ntlm_auth_pap
>     }
> }
>
> That will set Auth-Type to ntlm_auth_pap for a pap inner tunnel request if
> password is nowhere to be found.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090626/cee288b8/attachment.html>


More information about the Freeradius-Users mailing list