kerberos authentication
Alan DeKok
aland at ox.org
Wed Jan 11 20:12:35 CET 2006
"Riccardo.Veraldi" <Riccardo.Veraldi at fi.infn.it> wrote:
> But I am unable to succesfully authenticate
> and I get this error:
>
> rlm_krb5: Attribute "User-Password" is required for authentication.
...
> I would like the authentication via 802.1x to point to my kerberos server
> instead of a local radius users file authentication (this indeed works
> with EAP-TTLS).
Because EAP-TTLS supplies a clear-text password in the TLS tunnel.
The message you're getting is from a PEAP session (and no, you don't
say that). PEAP uses MS-CHAP inside of the TLS tunnel, which means
it's impossible to do kerberos authentication. MS-CHAP doesn't supply
a clear-text password, so you can't use that, and kerberos doesn't
understand MS-CHAP.
> should I instead use PAM module and configure PAM
> to authenticate using kerberos ?
No. PAM doesn't understand MS-CHAP, either.
What you want to do is impossible, because it's designed to be
impossible by the people who created MS-CHAP and Kerberos.
Alan DeKok.
More information about the Freeradius-Users
mailing list