Cross platform secure login on wpa2

[Matthew Newton]

On Wed, Dec 14, 2016 at 09:36:18PM +0000, Henti Smith wrote:
> > > However if I remove the local user and add "DEFAULT Auth-Type = Kerberos"
> > > it stops working.
> >
> > Well yes, Auth-Type in the outer isn't Kerberos, it's EAP.
> >
> > Documentation everywhere says don't touch Auth-Type yourself. It
> > says that for a reason.
> >
> 
> I did use the guide at https://www.eduroam.us/node/90 which did state to
> add it. I've removed it.

I'm not entirely familiar with using Kerberos, and it may be one
where you need to set Auth-Type in certain circumstances. But you
definitely don't want to be doing it there because the users file
is read in both the outer and inner virtual servers, and the outer
is EAP.

You *might* need to do

  update control {
    Auth-Type := Kerberos
  }

in your inner-tunnel virtual server authorize section. 

But if you're doing Kerberos for all PAP requests then you should
be able to forget this and change the "pap" line into:

  Auth-Type PAP {
    krb5
  }

in the inner-tunnel authenticate section instead. i.e. if the pap
module has recognised the auth request, then authenticate it with
krb5.

> > > When I then test without EAP, using
> > >
> > > radtest  kerberos-test secret localhost 0 testing123
> > >
> > > It's working.
> >
> > Because you set Auth-Type to Kerberos.
> 
> As per above, removed and now neither methods work.

This is why we ask for the full radiusd -X debug output....

Trying to debug blind is rather difficult and annoying. :(

> > eapol_test from the wpasupplicant project is your friend here for
> > testing EAP-TTLS/PAP.
> >
> 
> Thanks for the heads up, will try again. the rad_eap_test is a nagios
> wrapped around eapol_test.

OK, should be good then.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>