<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Actually I used EAP-TTLS with EAP-MD5 inside the tunnel<br>
I think I should try PAP inside hte TLS tunnel isn't it ?<br>
I'll try<br>
<br>
Rick<br>
<br>
<br>
Alan DeKok wrote:
<blockquote cite="mid20060111191235.2D8B916E3F@mail.nitros9.org"
type="cite">
<pre wrap="">"Riccardo.Veraldi" <a class="moz-txt-link-rfc2396E" href="mailto:Riccardo.Veraldi@fi.infn.it"><Riccardo.Veraldi@fi.infn.it></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">But I am unable to succesfully authenticate
and I get this error:
rlm_krb5: Attribute "User-Password" is required for authentication.
</pre>
</blockquote>
<pre wrap=""><!---->...
</pre>
<blockquote type="cite">
<pre wrap="">I would like the authentication via 802.1x to point to my kerberos server
instead of a local radius users file authentication (this indeed works
with EAP-TTLS).
</pre>
</blockquote>
<pre wrap=""><!---->
Because EAP-TTLS supplies a clear-text password in the TLS tunnel.
The message you're getting is from a PEAP session (and no, you don't
say that). PEAP uses MS-CHAP inside of the TLS tunnel, which means
it's impossible to do kerberos authentication. MS-CHAP doesn't supply
a clear-text password, so you can't use that, and kerberos doesn't
understand MS-CHAP.
</pre>
<blockquote type="cite">
<pre wrap="">should I instead use PAM module and configure PAM
to authenticate using kerberos ?
</pre>
</blockquote>
<pre wrap=""><!---->
No. PAM doesn't understand MS-CHAP, either.
What you want to do is impossible, because it's designed to be
impossible by the people who created MS-CHAP and Kerberos.
Alan DeKok.
-
List info/subscribe/unsubscribe? See <a class="moz-txt-link-freetext" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a>
</pre>
</blockquote>
<br>
</body>
</html>