> First, thanks Alan for your help, I managed to make it work with AD. Now I > want to try to test to make EAP-TTLS with PAP to authenticate users in > domain. I saw this link > http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html > > So I added following lines to modules section of radiusd.conf > > exec ntlm_auth_pap { > wait = yes > input_pairs = request > shell_escape = yes > output = none > > program = "/path/to/ntlm_auth --username=%{User-Name} > --domain=EXCHANGE > --password=%{User-Password}" > } > > and I edited /etc/freeradius/sites-available/default file and > /etc/freeradius/sites-enabled/default, section authenticate to > > Auth-Type PAP > { > ntlm_auth_pap > }
Don't do that. One - it's a wrong virtual server and two - it's not going to work. Use the same technique as in the guide for pap requests. List ntlm_auth_pap in authenticate section of inner-tunnel virtual server (look at ttls section of eap.conf and you will see where will inner tunnel requests end up). Forcing Auth-Type in users file might break a few things so add this to authenticate section of inner-tunnel virtual server *after* pap instead: if(!control:Auth-Type) { update control { Auth-Type = ntlm_auth_pap } } That will set Auth-Type to ntlm_auth_pap for a pap inner tunnel request if password is nowhere to be found. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html