Re: 802.1x & kerberos
Thanks for the help so far. Part of the problem is we have probably
tried so many things we probably messed something up along the way don't
remember what is is.
I think I have all the right stuff in the config files. I'll do a
little cut and paste here and maybe you will spot something I missed.
radius.conf (and all the eap parts are uncommented as well):
modules {
......
krb5 {
# keytab containing the key used by rlm_krb5
keytab = /usr/local/raddb/nmserv.keytab
# principal that is used by rlm_krb5
#service_principal = host/our.host.name@MSU.EDU
}
.....
pap {
auto_header = yes
}
........
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type kerberos {
krb5
}
}
-----------------------
eap.conf:
eap {
default_eap_type = ttls
md5 {
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
users:
DEFAULT Freeradius-Proxied-To == 127.0.0.1
Fall-Through = Yes
DEFAULT Auth-Type := Kerberos
Fall-Through = 1
Debug out put at the moment:
rlm_realm: Looking up realm "msu.edu" for User-Name = "testuser@msu.edu"
rlm_realm: Found realm "MSU.EDU"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm MSU.EDU
rlm_realm: Adding Realm = "MSU.EDU"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 1 length 18
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 10
modcall[authorize]: module "files" returns ok for request 4
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type Kerberos
auth: type "Kerberos"
Processing the authenticate section of radiusd.conf
modcall: entering group kerberos for request 4
rlm_krb5: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "krb5" returns invalid for request 4
modcall: leaving group kerberos (returns invalid) for request 4
auth: Failed to validate the user.
A.L.M.Buxey@lboro.ac.uk wrote:
no. you dont need to use the users file for the userid/password.
you simply need to ensure that the krb5 module is in the Authorize
section and that you have PAP enabled...and that you are using EAP-TTLS
with PAP inner method.
so....your FR config needs at least the following configs...
radiusd.conf
in the authorize section
krb5 {
}
in the authenticate section (radiusd.conf for 1.1.x, sites-enabled/default for 2.x)
Auth-Type krb5 {
krb5
}
you MAY configure krb5 in radiusd.... we havent found this actually
necessary(!)
# krb5 {
# keytab = /path/to/keytab
# service_principal = name_of_principle
# }
finally. if you are facing issues and you dont help with supplying
a log file then please ensure that your RADIUS request isnt being b0rked
by something in the users file eg
DEFAULT Auth-Type = System
you can at least change this to....
DEFAULT Auth-Type = krb5
just for checking(!!)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Lisa Besko
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.