captive portal auth with freeradius

Matthew Newton mcn4 at leicester.ac.uk
Fri Apr 19 20:02:21 CEST 2013 

On Fri, Apr 19, 2013 at 10:42:04PM +0530, Chitrang Srivastava wrote:
> Ok I will try that out, ntlm_auth module is already configured and works
> for radtest and wifi.

In the mschap/eap modules using mschap keys.

> So ntlm_auth with captive portal , is that the way to go , as  told by you
> ? All other captive portal portal server we have to do  like that ?

There are two ways of calling ntlm_auth. First with MSCHAP keys,
the other with username and password.

The mschap module takes the mschap keys from RADIUS and passes
them to ntlm_auth for checking against AD. e.g. EAP-TTLS/MSCHAPv2,
or just plain mschap.

The eap module extracts the mschap keys from the EAP
(EAP-MSCHAP-V2) data and passes them internally to the mschap
module which passes them to ntlm_auth for auth. e.g.
PEAP/EAP-MSCHAPv2

These are what you've been doing so far, from what I can tell.

We've not seen radiusd -X output for an auth success for wifi or
radtest, so nobody can really be sure.

The second method is to pass ntlm_auth a username and password,
and ask it to authenticate for you. This has *nothing* to do with
the mschap or eap modules, which deal with keys and NT hashes.

It's essentially another auth method for PAP. The PAP module
can't do it for you, as it knows nothing about the ntlm_auth
utility, so you have to call it yourself, using something like the
config I gave you just now.

Matthew




> On Fri, Apr 19, 2013 at 9:56 PM, Matthew Newton <mcn4 at leicester.ac.uk>wrote:
> 
> > On Fri, Apr 19, 2013 at 08:59:57PM +0530, Chitrang Srivastava wrote:
> > > I am using Microsoft 2003 Active Directory Server , the way wifi
> > (MSCHAPv2)
> > > works is with ntlm_auth , which does the authentication.
> >
> > OK, finally the information that's needed.
> >
> > > The way it works with wifi or radtest is , Auth-Type is set to EAP (it
> > > refers to eap.conf ) , it goes to mschap modules(set up TLS channel and
> > > then under that) , from there its told to use external program ntlm_auth
> > ,
> > > which does the authentication and tells radius if its OK or not.
> > >
> > > What i was trying , is to get similar way working with captive portal as
> > > well.
> >
> > There's an example in raddb/modules/ntlm_auth. Configure that
> > file, and then do something like this:
> >
> > authorize {
> > ...
> >    if (!EAP-Message && User-Password) {
> >      update control {
> >        Auth-Type = PAP
> >      }
> >    }
> > }
> >
> > authenticate {
> >   Auth-Type PAP {
> >     # pap <-- comment out
> >     ntlm_auth
> >   }
> > }
> >
> > Then it should take your User-Name and User-Password, check them
> > using the ntlm_auth utility rather than the pap module (the
> > ntlm_auth "module" is just an instantiation of exec).
> >
> > Matthew
> >
> >
> >
> > --
> > Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
> >
> > Systems Specialist, Infrastructure Services,
> > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> >
> > For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list