Ok... I took Alan's advise of taking it out of pap, my config is now:
authenticate {
..
ntlm_auth_pap
and
authorize {
..(near the end)..
ntlm_auth_pap
I then tried the following statements right before ntlm_auth_pap in
authorize (you said to check if Auth-Type exists, this is the correct way to
do that, right?):
if (!Control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
this results in:
Thu May 29 13:01:47 2008 : Debug: ++? if (!Control:Auth-Type)
Thu May 29 13:01:47 2008 : Debug: ? Evaluating !(Control:Auth-Type) -> TRUE
Thu May 29 13:01:47 2008 : Debug: ++? if (!Control:Auth-Type) -> FALSE
and I tried this:
if (Control:Auth-Type == "") {
update control {
Auth-Type = ntlm_auth_pap
}
}
which resulted in:
Thu May 29 13:04:45 2008 : Debug: ++[logintime] returns noop
Thu May 29 13:04:45 2008 : Debug: ++? if (Control:Auth-Type == "")
Thu May 29 13:04:45 2008 : Debug: ? Evaluating (Control:Auth-Type == "") ->
FALSE
Thu May 29 13:04:45 2008 : Debug: ++? if (Control:Auth-Type == "") -> FALSE
Now, for the record, this is what I now get.. a bit more verbose:
Thu May 29 13:05:27 2008 : Debug: ++? if (!Control:Auth-Type)
Thu May 29 13:05:27 2008 : Debug: ? Evaluating !(Control:Auth-Type) -> TRUE
Thu May 29 13:05:27 2008 : Debug: ++? if (!Control:Auth-Type) -> FALSE
Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: calling
ntlm_auth_pap (rlm_exec) for request 5
Thu May 29 13:05:27 2008 : Debug: expand: --username=%{User-Name} ->
--username=MYNET\myuser
Thu May 29 13:05:27 2008 : Debug: expand: --password=%{User-Password}
-> --password=xxx
Thu May 29 13:05:27 2008 : Debug: Exec-Program output: NT_STATUS_OK: Success
(0x0)
Thu May 29 13:05:27 2008 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Thu May 29 13:05:27 2008 : Debug: Exec-Program: returned: 0
Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: returned from
ntlm_auth_pap (rlm_exec) for request 5
Thu May 29 13:05:27 2008 : Debug: ++[ntlm_auth_pap] returns ok
Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: calling pap
(rlm_pap) for request 5
Thu May 29 13:05:27 2008 : Debug: modsingle[authorize]: returned from pap
(rlm_pap) for request 5
Thu May 29 13:05:27 2008 : Debug: ++[pap] returns noop
Thu May 29 13:05:27 2008 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Thu May 29 13:05:27 2008 : Debug: auth: Failed to validate the user.
Thanks for your time / Regards,
Bram.
PS: I also tried 'if (!(Control:Auth-Type))' just in case, but same problem.
Ivan Kalik wrote:
= not :=. Or check if Auth-Type already exists.
Ivan Kalik
Kalik Informatika ISP
Dana 29/5/2008, "Bram Matthys (Syzop)" <[EMAIL PROTECTED]> piše:
Thanks for the hint. What would be the best place and way to do this?
Putting this before pap in authorize { }:
update control {
Auth-Type := PAP
}
does indeed make pap work, but breaks anything else (like eap-mschap).
I also tried:
if (Control:Auth-Type == "") {
update control {
Auth-Type := PAP
}
}
and:
if (!Control:Auth-Type) {
update control {
Auth-Type := PAP
}
}
but they don't match.
Also, how come it is needed to force pap usage? I thought pap was supposed
to always be used when no other mod took care of it (fallthrough).
Regards,
Bram.
Ivan Kalik wrote:
Use unlang to set Auth-Type PAP even if pap returns noop.
Ivan Kalik
Kalik Informatika ISP
Dana 28/5/2008, "Bram Matthys (Syzop)" <[EMAIL PROTECTED]> piše:
While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like
to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the client
software I use [securew2] does not save user credentials with mschap, and
does save them with pap. And just to offer more options to other clients).
Anyway, I tried to do it using these suggestions (after previously my own
attempt failed):
http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
in radiusd.conf:
exec ntlm_auth_pap {
wait = yes
input_pairs = request
shell_escape = yes
output = none
program = "/usr/bin/ntlm_auth --request-nt-key
--domain=MYNET --username=%{User-Name} --password=%{User-Password}"
}
then in sites-enabled/inner-tunnel:
authenticate {
Auth-Type PAP {
ntlm_auth_pap
}
Actually I did the same in sites-enabled/default as well to see if it helps
(didn't matter, of course).
Just, for the record, pap is also in the authorize { } section, listed at
the end in that block, as recommended.
But.. no luck.. it seems the ntlm_auth stuff is not being called at all, and
to be honest I'm not even sure if pap is picking things up.
I always end up with this:
Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: calling pap
(rlm_pap) for request 5
Wed May 28 15:16:08 2008 : Debug: modsingle[authorize]: returned from pap
(rlm_pap) for request 5
Wed May 28 15:16:08 2008 : Debug: ++[pap] returns noop
Wed May 28 15:16:08 2008 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Wed May 28 15:16:08 2008 : Debug: auth: Failed to validate the user.
Wed May 28 15:16:08 2008 : Auth: Login incorrect: [MYNET\\myuser/xxx] (from
client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)
I used this wpa supplicant config for testing with eapol_test:
network={
ssid="mynet-test"
key_mgmt=WPA-EAP
eap=TTLS
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
phase2="auth=PAP"
identity="MYNET\myuser"
password="xxx"
anonymous_identity="[EMAIL PROTECTED]"
}
I first tried a different aproach, like putting ntlm_auth_pap in the
authorize { } section before pap, and then radius *is* calling ntlm_auth,
but then it just goes on and complains about not known the Auth-Type.
Debug: modsingle[authorize]: calling ntlm_auth_pap (rlm_exec) for request 5
Debug: expand: --username=%{User-Name} -> --username=MYNET\myuser
Debug: expand: --password=%{User-Password} -> --password=xxx
Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Debug: Exec-Program: returned: 0
Debug: modsingle[authorize]: returned from ntlm_auth_pap (rlm_exec) for
request 5
Debug: ++[ntlm_auth_pap] returns ok
Debug: modsingle[authorize]: calling pap (rlm_pap) for request 5
Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 5
Debug: ++[pap] returns noop
I've reverted that attempt before trying everything I mentioned earlier, though.
Regards,
Bram.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
