freeradius Kerberos config in users file ?

Riccardo Veraldi Riccardo.Veraldi at cnaf.infn.it
Wed Jun 23 13:02:43 CEST 2010


thank you, now it is much more clear to me

Rick


Alan DeKok wrote:
> Riccardo Veraldi wrote:
>   
>> if I configure freeradius2 with krb5 authentication and I use the
>> following users file,
>> the authentication works using radtest
>>
>> DEFAULT        Auth-Type := Kerberos
>>     
>
>   See "man users" about the ":=" operator.  This *forces* Kerberos
> authentication.
>
>   See also my web page on password compatibility.  Kerberos isn't on
> there, but it would look the same as the row showing CHAP.
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
>   
>> but it fails using EAP (EAP-TTLS) telling USer-PAssword attribute is
>> missing...
>>     
>
>   Yes... Kerberos takes a password entered by the user, and does
> kerberos magic with it.  There is *no* password in EAP.  So Kerberos
> doesn't work.
>
>   
>> if I instead use the following users file:
>>
>> DEFAULT        Auth-Type = Kerberos
>>
>> both radtest and EAP authentication works, and thtat's good, but why ?
>>     
>
>   As always, read the debugging output.  It *tells* you why.
>
>   In short, the "=" operator says "try Kerberos, but ONLY if nothing
> else is supposed to authenticate the user".
>
>   This means that the EAP module handles EAP, as it's supposed to.  The
> "inner-tunnel" virtual server then gets a password *inside* of the TTLS
> tunnel.  That password is used for kerberos authentication.
>
>   *Please* go read the debug output and compare it to the above
> description.  While it's complicated, it is the best way to understand
> what's going on.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   




More information about the Freeradius-Users mailing list