802.1x & kerberos

Reynolds, Walter waltr at umich.edu
Thu Oct 11 16:28:47 CEST 2007 

We also have this working with the below settings.  However in running
ver 1.1.6 (maybe others) we have found that there is some sort of
problem that will cause the Freeradius server to crash.  This seems to
be tied to request with incorrect passwords as notated by the following
in the log:

Thu Oct 11 10:01:03 2007 : Auth: rlm_krb5: [UserName] krb5_g_i_t_w_p
failed: Decrypt integrity check failed

Has anyone else seen this or have suggestions for me on this.

> Date: Thu, 11 Oct 2007 15:00:39 +0100
> From: A.L.M.Buxey at lboro.ac.uk
> Subject: Re: 802.1x & kerberos
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <20071011140039.GA23584 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
> 
> Hi,
> 
> > It works w/o EAP.  I can do a radtest with a valid userid and
> password
> > on the kerberos server and get authorized (and not get authorized
> with
> > bad information).
> 
> right
> 
> > I can get EAP-TTLS to work if I put a user and a password in the
> radius
> > users file but that's not what we want.  We need the kerberos piece
> to
> > work.  I'd be happy to send some config files along if that would
> help.
> >  I feel like I'm missing something small that's so obvious no one
has
> > thought to document it.
> 
> no. you dont need to use the users file for the userid/password.
> you simply need to ensure that the krb5 module is in the Authorize
> section and that you have PAP enabled...and that you are using
EAP-TTLS
> with PAP inner method.
> 
> so....your FR config needs at least the following configs...
> 
> radiusd.conf
> 
> in the authorize section
> 
>         krb5 {
> 
>         }
> 
> in the authenticate section (radiusd.conf for 1.1.x, sites-
> enabled/default for 2.x)
> 
>         Auth-Type krb5 {
>                 krb5
>         }
> 
> you MAY configure krb5 in radiusd.... we havent found this actually
> necessary(!)
> 
> #       krb5 {
> #               keytab = /path/to/keytab
> #               service_principal = name_of_principle
> #       }
> 
> 
> 
> finally. if you are facing issues and you dont help with supplying
> a log file then please ensure that your RADIUS request isnt being
> b0rked
> by something in the users file eg
> 
> DEFAULT Auth-Type = System
> 
> you can at least change this to....
> 
> DEFAULT Auth-Type = krb5
> 
> just for checking(!!)
> 
> alan
> 
>

More information about the Freeradius-Users mailing list