NTLMv2 with FreeRADIUS

stefan.paetow at diamond.ac.uk stefan.paetow at diamond.ac.uk
Thu Apr 10 12:05:02 CEST 2014


>   TTLS + PAP will work fine with Kerberos.  You'll need to edit sites-
> enabled/inner-tunnel, and add "krb5" to the "authenticate"
> section.  Then, in the "authorize" section, do:

Also be aware of one thing... 

EAP-TTLS/PAP uses an EAP method outside (EAP-TTLS) and a non-EAP method inside (PAP). If you are required (by software for example) to have an EAP authentication method in the TTLS tunnel, EAP-MD5 (the default) or EAP-GTC will likely be close enough on the FreeRADIUS end (i.e. you have either EAP-TTLS/EAP-MD5, or EAP-TTLS/EAP-GTC with GTC set to the default PAP authentication). 

EAP-MD5 (the default in the 'ttls' section of the 'eap' module) would *not* be the same as PAP, so it may not help with a Kerberos auth setup.

With Regards

Stefan


-- 
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
 





More information about the Freeradius-Users mailing list