EAP-TTLS (PAP) with Win2K3 domain not working
Petar Marinkovic
highl1 at gmail.com
Fri Jun 26 11:31:40 CEST 2009
Similar error, again when the server is starting
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
/etc/freeradius/sites-enabled/inner-tunnel[157]: ERROR: Unknown value
ntlm_auth_pap for attribute Auth-Type
/etc/freeradius/sites-enabled/inner-tunnel[156]: Failed to parse
"update" subsection.
/etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing
authorize section.
Errors initializing modules
That part of code in in /etc/freeradius/sites-enabled/inner-tunnel and
/etc/freeradius/sites-available/inner-tunnel files, like this
pap
if(!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
Thanks in advance!
Petar
On Fri, Jun 26, 2009 at 11:22, Ivan Kalik <tnt at kalik.net> wrote:
> > In eap.conf, for eap-ttls there is a line
> >
> > virtual_server = "inner-tunnel"
> >
> > I put this part of your code in
> /etc/freeradius/sites-enabled/inner-tunnel
> > and /etc/freeradius/sites-available/inner-tunnel files, like this
> >
> > Auth-Type PAP
> > {
> > pap
> > }
> >
> > if(!control:Auth-Type) {
> > update control {
> > Auth-Type = ntlm_auth_pap
> > }
> > }
>
> Sorry, mistake in my instructions. Put that in authorize (not
> authenticate) after pap.
>
> > and when I try to restart the server, I get following error:
> >
> > radiusd: #### Loading Virtual Servers ####
> > server inner-tunnel {
> > modules {
> > Module: Checking authenticate {...} for more modules to load
> > Module: Linked to module rlm_pap
> > Module: Instantiating pap
> > pap {
> > encryption_scheme = "auto"
> > auto_header = no
> > }
> > /etc/freeradius/sites-enabled/inner-tunnel[186]: ERROR: Unknown value
> > ntlm_auth_pap for attribute Auth-Type
> >
> > /etc/freeradius/sites-enabled/inner-tunnel[185]: Failed to parse
> > "update" subsection.
> >
> > /etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing
> > authenticate section.
> >
> > Errors initializing modules
> >
> > Sorry if I am asking stupid questions, but I am new to linux and
> > freeradius,
> > and this is all so confusing for me :) What I am doing wrong?
> >
> >
> > On Fri, Jun 26, 2009 at 00:03, Ivan Kalik <tnt at kalik.net> wrote:
> >
> >> > First, thanks Alan for your help, I managed to make it work with AD.
> >> Now
> >> I
> >> > want to try to test to make EAP-TTLS with PAP to authenticate users in
> >> > domain. I saw this link
> >> >
> >>
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html
> >> >
> >> > So I added following lines to modules section of radiusd.conf
> >> >
> >> > exec ntlm_auth_pap {
> >> > wait = yes
> >> > input_pairs = request
> >> > shell_escape = yes
> >> > output = none
> >> >
> >> > program = "/path/to/ntlm_auth --username=%{User-Name}
> >> --domain=EXCHANGE
> >> > --password=%{User-Password}"
> >> > }
> >> >
> >> > and I edited /etc/freeradius/sites-available/default file and
> >> > /etc/freeradius/sites-enabled/default, section authenticate to
> >> >
> >> > Auth-Type PAP
> >> > {
> >> > ntlm_auth_pap
> >> > }
> >>
> >> Don't do that. One - it's a wrong virtual server and two - it's not
> >> going
> >> to work. Use the same technique as in the guide for pap requests. List
> >> ntlm_auth_pap in authenticate section of inner-tunnel virtual server
> >> (look
> >> at ttls section of eap.conf and you will see where will inner tunnel
> >> requests end up). Forcing Auth-Type in users file might break a few
> >> things
> >> so add this to authenticate section of inner-tunnel virtual server
> >> *after*
> >> pap instead:
> >>
> >> if(!control:Auth-Type) {
> >> update control {
> >> Auth-Type = ntlm_auth_pap
> >> }
> >> }
> >>
> >> That will set Auth-Type to ntlm_auth_pap for a pap inner tunnel request
> >> if
> >> password is nowhere to be found.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >
>
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090626/7411519a/attachment.html>
More information about the Freeradius-Users
mailing list