EAP-TTLS (PAP) with Win2K3 domain not working
Petar Marinkovic
highl1 at gmail.com
Fri Jun 26 11:05:20 CEST 2009
In eap.conf, for eap-ttls there is a line
virtual_server = "inner-tunnel"
I put this part of your code in /etc/freeradius/sites-enabled/inner-tunnel
and /etc/freeradius/sites-available/inner-tunnel files, like this
Auth-Type PAP
{
pap
}
if(!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
and when I try to restart the server, I get following error:
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
/etc/freeradius/sites-enabled/inner-tunnel[186]: ERROR: Unknown value
ntlm_auth_pap for attribute Auth-Type
/etc/freeradius/sites-enabled/inner-tunnel[185]: Failed to parse
"update" subsection.
/etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing
authenticate section.
Errors initializing modules
Sorry if I am asking stupid questions, but I am new to linux and freeradius,
and this is all so confusing for me :) What I am doing wrong?
On Fri, Jun 26, 2009 at 00:03, Ivan Kalik <tnt at kalik.net> wrote:
> > First, thanks Alan for your help, I managed to make it work with AD. Now
> I
> > want to try to test to make EAP-TTLS with PAP to authenticate users in
> > domain. I saw this link
> >
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html
> >
> > So I added following lines to modules section of radiusd.conf
> >
> > exec ntlm_auth_pap {
> > wait = yes
> > input_pairs = request
> > shell_escape = yes
> > output = none
> >
> > program = "/path/to/ntlm_auth --username=%{User-Name}
> --domain=EXCHANGE
> > --password=%{User-Password}"
> > }
> >
> > and I edited /etc/freeradius/sites-available/default file and
> > /etc/freeradius/sites-enabled/default, section authenticate to
> >
> > Auth-Type PAP
> > {
> > ntlm_auth_pap
> > }
>
> Don't do that. One - it's a wrong virtual server and two - it's not going
> to work. Use the same technique as in the guide for pap requests. List
> ntlm_auth_pap in authenticate section of inner-tunnel virtual server (look
> at ttls section of eap.conf and you will see where will inner tunnel
> requests end up). Forcing Auth-Type in users file might break a few things
> so add this to authenticate section of inner-tunnel virtual server *after*
> pap instead:
>
> if(!control:Auth-Type) {
> update control {
> Auth-Type = ntlm_auth_pap
> }
> }
>
> That will set Auth-Type to ntlm_auth_pap for a pap inner tunnel request if
> password is nowhere to be found.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090626/cee288b8/attachment.html>
More information about the Freeradius-Users
mailing list