802.1x & kerberos

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Thu Oct 11 16:00:39 CEST 2007


Hi,

> It works w/o EAP.  I can do a radtest with a valid userid and password 
> on the kerberos server and get authorized (and not get authorized with 
> bad information).

right

> I can get EAP-TTLS to work if I put a user and a password in the radius 
> users file but that's not what we want.  We need the kerberos piece to 
> work.  I'd be happy to send some config files along if that would help. 
>  I feel like I'm missing something small that's so obvious no one has 
> thought to document it.

no. you dont need to use the users file for the userid/password. 
you simply need to ensure that the krb5 module is in the Authorize
section and that you have PAP enabled...and that you are using EAP-TTLS
with PAP inner method.

so....your FR config needs at least the following configs...

radiusd.conf

in the authorize section

        krb5 {

        }

in the authenticate section (radiusd.conf for 1.1.x, sites-enabled/default for 2.x)

        Auth-Type krb5 {
                krb5
        }

you MAY configure krb5 in radiusd.... we havent found this actually
necessary(!)

#       krb5 {
#               keytab = /path/to/keytab
#               service_principal = name_of_principle
#       }



finally. if you are facing issues and you dont help with supplying 
a log file then please ensure that your RADIUS request isnt being b0rked
by something in the users file eg

DEFAULT Auth-Type = System

you can at least change this to....

DEFAULT Auth-Type = krb5

just for checking(!!)

alan



More information about the Freeradius-Users mailing list