Hi Alan,
Alan DeKok wrote:
Bram Matthys (Syzop) wrote:
Thanks for the hint. What would be the best place and way to do this?
Putting this before pap in authorize { }:
update control {
Auth-Type := PAP
}
does indeed make pap work, but breaks anything else (like eap-mschap).
Use '='. See "man unlang". This IS documented.
Right.
Also, how come it is needed to force pap usage? I thought pap was
supposed to always be used when no other mod took care of it (fallthrough).
You don't. You've managed to put the "ntml_auth_pap" program into the
"pap" Auth-Type, for reasons I don't understand. Why not just call it
ntlm_auth_pap? After all, they're *different*. The do NOT do the same
thing.
That's what I did first, because it makes sense and sounds logical, but
didn't get it working, as said in my original mail: it ran the program
succesfully but then simply went on with other mods and in the end
complaining about no auth-type being set.
Anyway, when that didn't work I then saw a message from you (also mentioned
in my original mail):
http://lists.cistron.nl/pipermail/freeradius-users/2008-March/070469.html
So I thought I'd give that a try.
Could be that your suggestion there is for another type of configuration,
but if that were the case then that wasn't clear to me.
The reason you need for force Auth-Type here is that the PAP module
sets "Auth-Type = PAP" ONLY when BOTH of the following apply:
a) no other module has already set Auth-Type
b) there is a "known good" password in the control item list.
In your case, (b) isn't true.
Correct.
If you run the server in debugging
mode, the pap module will TELL YOU that it is not setting Auth-Type to
PAP, and it will say WHY it is doing this.
In your case, you are using the ntlm_auth_pap program as an
"authentication oracle". See:
http://deployingradius.com/documents/protocols/oracles.html
It even lists "ntlm_auth" in the table.
Yup. Saw that page.
Regards,
Bram.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
