802.1x & kerberos

tnt at kalik.co.yu tnt at kalik.co.yu
Thu Oct 11 20:28:06 CEST 2007 

You should start another topic and add some more information: operating
system, kerberos version, does this happen every time or is it
unpredictable ...

Ivan Kalik
Kalik Informatika ISP


Dana 11/10/2007, "Reynolds, Walter" <waltr at umich.edu> piše:

>We also have this working with the below settings.  However in running
>ver 1.1.6 (maybe others) we have found that there is some sort of
>problem that will cause the Freeradius server to crash.  This seems to
>be tied to request with incorrect passwords as notated by the following
>in the log:
>
>Thu Oct 11 10:01:03 2007 : Auth: rlm_krb5: [UserName] krb5_g_i_t_w_p
>failed: Decrypt integrity check failed
>
>Has anyone else seen this or have suggestions for me on this.
>
>> Date: Thu, 11 Oct 2007 15:00:39 +0100
>> From: A.L.M.Buxey at lboro.ac.uk
>> Subject: Re: 802.1x & kerberos
>> To: FreeRadius users mailing list
>> 	<freeradius-users at lists.freeradius.org>
>> Message-ID: <20071011140039.GA23584 at lboro.ac.uk>
>> Content-Type: text/plain; charset=us-ascii
>>
>> Hi,
>>
>> > It works w/o EAP.  I can do a radtest with a valid userid and
>> password
>> > on the kerberos server and get authorized (and not get authorized
>> with
>> > bad information).
>>
>> right
>>
>> > I can get EAP-TTLS to work if I put a user and a password in the
>> radius
>> > users file but that's not what we want.  We need the kerberos piece
>> to
>> > work.  I'd be happy to send some config files along if that would
>> help.
>> >  I feel like I'm missing something small that's so obvious no one
>has
>> > thought to document it.
>>
>> no. you dont need to use the users file for the userid/password.
>> you simply need to ensure that the krb5 module is in the Authorize
>> section and that you have PAP enabled...and that you are using
>EAP-TTLS
>> with PAP inner method.
>>
>> so....your FR config needs at least the following configs...
>>
>> radiusd.conf
>>
>> in the authorize section
>>
>>         krb5 {
>>
>>         }
>>
>> in the authenticate section (radiusd.conf for 1.1.x, sites-
>> enabled/default for 2.x)
>>
>>         Auth-Type krb5 {
>>                 krb5
>>         }
>>
>> you MAY configure krb5 in radiusd.... we havent found this actually
>> necessary(!)
>>
>> #       krb5 {
>> #               keytab = /path/to/keytab
>> #               service_principal = name_of_principle
>> #       }
>>
>>
>>
>> finally. if you are facing issues and you dont help with supplying
>> a log file then please ensure that your RADIUS request isnt being
>> b0rked
>> by something in the users file eg
>>
>> DEFAULT Auth-Type = System
>>
>> you can at least change this to....
>>
>> DEFAULT Auth-Type = krb5
>>
>> just for checking(!!)
>>
>> alan
>>
>>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list