Use unlang to set Auth-Type PAP even if pap returns noop. Ivan Kalik Kalik Informatika ISP
Dana 28/5/2008, "Bram Matthys (Syzop)" <[EMAIL PROTECTED]> piše: >While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like >to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client >software I use [securew2] does not save user credentials with mschap, and >does save them with pap. And just to offer more options to other clients). >Anyway, I tried to do it using these suggestions (after previously my own >attempt failed): >http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html > >in radiusd.conf: > exec ntlm_auth_pap { > wait = yes > input_pairs = request > shell_escape = yes > output = none > program = "/usr/bin/ntlm_auth --request-nt-key >--domain=MYNET --username=%{User-Name} --password=%{User-Password}" > } > >then in sites-enabled/inner-tunnel: >authenticate { > Auth-Type PAP { > ntlm_auth_pap > } > >Actually I did the same in sites-enabled/default as well to see if it helps >(didn't matter, of course). > >Just, for the record, pap is also in the authorize { } section, listed at >the end in that block, as recommended. > >But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and >to be honest I'm not even sure if pap is picking things up. > >I always end up with this: > >Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: calling pap >(rlm_pap) for request 5 >Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: returned from pap >(rlm_pap) for request 5 >Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop >Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type) >configuration found for the request: Rejecting the user >Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user. >Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from >client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel) > > >I used this wpa supplicant config for testing with eapol_test: >network={ > ssid="mynet-test" > key_mgmt=WPA-EAP > eap=TTLS > pairwise=CCMP TKIP > group=CCMP TKIP WEP104 WEP40 > phase2="auth=PAP" > identity="MYNET\myuser" > password="xxx" > anonymous_identity="[EMAIL PROTECTED]" >} > >I first tried a different aproach, like putting ntlm_auth_pap in the >authorize { } section before pap, and then radius *is* calling ntlm_auth, >but then it just goes on and complains about not known the Auth-Type. >Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5 >Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser >Debug: expand: --password=%{User-Password} -> --password=xxx >Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) >Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) >Debug: Exec-Program: returned: 0 >Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for >request 5 >Debug: ++[ntlm_auth_pap] returns ok >Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5 >Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5 >Debug: ++[pap] returns noop > >I've reverted that attempt before trying everything I mentioned earlier, >though. > >Regards, > > Bram. > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
