or I have just written how to with kerberos and freeradius, this will help you<div><br></div><div><div>Freeradius with MIT kerberos Authentication </div><div>===========================================</div><div><br></div>
<div>I
have successfully installed and configured MIT kerberos and Freeradius
Authentication. This might be helpful for some people who
are interested in doing this. Perhaps FR guys will add this into their
wiki.</div>
<div><br></div><div>Why I am doing this ?</div><div>=====================</div><div>I
have been running Eduroam service on freeradius and Active Directory
for user authentication. In order to use Active Directory, I had
to configure samba and winbind. Lately, I had too many problems </div>
<div>with winbind and samba which require frequent restart the daemon
both smb and winbind. I ended up writing some cron to do this for me. I
feel this is not reliable and looked for alternative solution. I came
up </div>
<div>with four different solution.</div><div><br></div><div>1. Continue using Freeradius with Active directory for user authentication and maintain ill winbind plus samba</div><div>2.
Customize the LDAP (openLdap) so that password can be stored in NT-HASH
or LMHASH or whatever is compatible, so you do not have to worry about
SMB, Winbind</div>
<div>3. Forget about FreeRadius and choose Microsoft IAS or their $
application so that you do not have to worry samba,winbind freeradius :)</div><div>4. Deploy kerberos, integrate with OpenLDAP, configure FreeRadius to use Kerberos for user authentication.</div>
<div><br></div><div>I preferred point number 4. and implemented, Now
since it is working fine I am thinking of going in production. Here is
what I did:</div><div><br></div><div>I assume you have already working Kerberos server if not here are the instruction how to install MIT kerberos in LINUX</div>
<div><a href="http://www.linux-mag.com/id/4738/">http://www.linux-mag.com/id/4738/</a></div><div><br></div><div><br></div><div>1. Add the hostprincipal and service principal for your Freeradius server</div><div>kadmin$ ank -randkey radius/<a href="mailto:radiusserver.example.com@EXAMPLE.COM">radiusserver.example.com@EXAMPLE.COM</a></div>
<div>kadmin$ ank -randkey host/<a href="mailto:radiusserver.example.com@EXAMPLE.COM">radiusserver.example.com@EXAMPLE.COM</a></div><div><br></div><div><br></div><div>2. Add user principal for testing:</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>kadmin$
add_principal krbtesting # this will prompt you a password - just type
whatever you want, in my case I typed krbtesting as my password</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>your userprincipal will be <a href="mailto:krbtesting@EXAMPLE.COM">krbtesting@EXAMPLE.COM</a></div><div><br></div><div>3. you need to dump the keytab file, </div>
<div><br></div><div>kadmin$ ktadd -k /tmp/krb5.keytab host/<a href="mailto:radiusserver.example.com@EXAMPLE.COM">radiusserver.example.com@EXAMPLE.COM</a></div><div>kadmin$ ktadd -k /tmp/krb5.keytab radius/<a href="mailto:radiusserver.example.com@EXAMPLE.COM">radiusserver.example.com@EXAMPLE.COM</a></div>
<div><br></div><div>4. so you have the keytab file, if you like test it. This can be done as this :</div><div><br></div><div>test15$ kinit -k -t /tmp/krb5.keytab radius/<a href="mailto:radiusserver.example.com@EXAMPLE.COM">radiusserver.example.com@EXAMPLE.COM</a></div>
<div>test15$ kinit -k -t /tmp/krb5.keytab host/<a href="mailto:radiusserver.example.com@EXAMPLE.COM">radiusserver.example.com@EXAMPLE.COM</a></div><div><br></div><div><br></div><div>5. Copy krb5.keytab file to your freeradius server</div>
<div><br></div><div>You are done with Kerberos. let install the freeradius</div><div><br></div><div>On Centos you can do :</div><div>=================</div><div>test15# yum install freeradius freeradius-krb5 freeradius-utils -y</div>
<div><br></div><div>For basic kerberos authentication test you just need to configure few files under /etc/raddb </div><div>1. Edit /etc/raddb/modules/krb5.conf and add the following</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>krb5 {</div>
<div> <span class="Apple-tab-span" style="white-space:pre"> </span>keytab = /etc/krb5.keytab # make sure this keytab file is readble by radius daemon change the path where your keytab file is</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>service_principal = radius/<a href="http://radiusserver.example.com">radiusserver.example.com</a></div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div><br></div><div>2. Add Auth-Type kerberos in /etc/raddb/sites-enabled/default right after the PAP like this:</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Auth-Type Kerberos {</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span> krb5</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div>PS: Kerberos only works with PAP </div><div><br></div><div>3. Add DEFAULT AUTH-Type = kerberos (without quote "") on top of your /etc/raddb/users file</div>
<div><br></div><div>4. Now, start your freeradius in debug mode, radiusd -X</div><div><br></div><div>Lets test the authentication, open another terminal and issue the following command:</div><div><br></div><div>test15$ radtest krbtesting krbtesting localhost 0 testing123</div>
<div><br></div><div>Where, username is krbtesting and password is
krbtesting, radiusserver is localhost and seceret is testing123. The aim
here is to get Accept-Accept, here is what I get:</div><div><br></div><div>Fri Dec 28 10:50:57 2012 : Info: ++[expiration] returns noop</div>
<div>Fri Dec 28 10:50:57 2012 : Info: ++[logintime] returns noop</div><div>Fri
Dec 28 10:50:57 2012 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.</div>
<div>Fri Dec 28 10:50:57 2012 : Info: ++[pap] returns noop</div><div>Fri Dec 28 10:50:57 2012 : Info: Found Auth-Type = Kerberos</div><div>Fri Dec 28 10:50:57 2012 : Info: # Executing group from file /etc/raddb/sites-enabled/default</div>
<div>Fri Dec 28 10:50:57 2012 : Info: +- entering group kerberos {...}</div><div>Fri Dec 28 10:50:57 2012 : Debug: rlm_krb5: verify_krb_v5_tgt: host key not found : Permission denied</div><div>Fri Dec 28 10:50:57 2012 : Info: ++[krb5] returns ok</div>
<div>Fri Dec 28 10:50:57 2012 : Auth: Login OK: [krbtesting] (from client localhost port 0)</div><div>Fri Dec 28 10:50:57 2012 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default</div><div>Fri Dec 28 10:50:57 2012 : Info: +- entering group post-auth {...}</div>
<div>Fri Dec 28 10:50:57 2012 : Info: [reply_log] <span class="Apple-tab-span" style="white-space:pre"> </span>expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/<a href="http://127.0.0.1/reply-detail-20121228">127.0.0.1/reply-detail-20121228</a></div>
<div>Fri Dec 28 10:50:57 2012 : Info: [reply_log]
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands
to /var/log/radius/radacct/<a href="http://127.0.0.1/reply-detail-20121228">127.0.0.1/reply-detail-20121228</a></div>
<div>Fri Dec 28 10:50:57 2012 : Info: [reply_log] <span class="Apple-tab-span" style="white-space:pre"> </span>expand: %t -> Fri Dec 28 10:50:57 2012</div><div>Fri Dec 28 10:50:57 2012 : Info: ++[reply_log] returns ok</div>
<div>Fri Dec 28 10:50:57 2012 : Info: ++[exec] returns noop</div><div>Sending Access-Accept of id 248 to 127.0.0.1 port 34456</div><div><br></div><div>The
key thing here is to get Login OK and krb5 returns ok, if you see those
you have successfully authenticated against your freeradius with
kerberos server. There is warning and permission denied messages, </div>
<div>see earlier post and Alan's reply. </div><div><br></div><div>on your terminal you will see output as this :</div><div><br></div><div>[test@test15]# radtest krbtesting krbtesting localhost 0 testing123</div><div>
Sending Access-Request of id 248 to 127.0.0.1 port 1812</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>User-Name = "krbtesting"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>User-Password = "krbtesting"</div><div>
<span class="Apple-tab-span" style="white-space:pre"> </span>NAS-IP-Address = 192.168.1.25</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>NAS-Port = 0</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Message-Authenticator = 0x00000000000000000000000000000000</div>
<div>rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=248, length=20</div><div><br></div><div><br></div><div>I
have tested EAP-TTLS - PAP with wpa_supplicant and it works well too.
Also I tested following devices that allows EAP-TTLS and PAP:</div>
<div>Sonny Ericksson mobile</div><div>samsung galaxy s II</div><div>samsung galaxy note</div><div>windows 8 (thank you Dr. Bill you enabled other selection apart from PEAP)</div><div>Fedora 17</div><div>windows 7 requries securew2 to make it work (it works though)</div>
<div><br></div><div>Hope this helps.<span class="Apple-tab-span" style="white-space:pre"> </span></div><div><br></div><div><br></div><br><div class="gmail_quote">On Thu, May 10, 2012 at 4:10 PM, Phil Mayers <span dir="ltr"><<a href="mailto:p.mayers@imperial.ac.uk" target="_blank">p.mayers@imperial.ac.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 10/05/12 16:39, Jörg Herzinger wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
Radius has been bugging me now for over a week and I just can't get it<br>
working with Kerberos over WLan. I have been trying around a lot but in<br>
</blockquote>
<br></div>
There's no such thing as "kerberos over WLAN"<br>
<br>
wireless authentication is either:<br>
<br>
* MAC address (no radius involved)<br>
* shared secret (no radius involved)<br>
* WPA-Enterprise i.e. 802.1x<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
root@donauauen42 ~ # radtest testing pass radius 1 averysecretsecret<br>
Sending Access-Request of id 166 to 192.168.43.118 port 1812<br>
User-Name = "testing"<br>
User-Password = "pass"<br>
NAS-IP-Address = 192.168.42.42<br>
NAS-Port = 1<br>
</blockquote>
<br></div>
This is a plain PAP request, and as such not representative of WPA-Enterprise.<br>
<br>
You should download the wpa_supplicant sources, and compile "eapol_test" to test 802.1x authentication.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Not working Kerberos debug log: <a href="http://pastie.org/3890159" target="_blank">http://pastie.org/3890159</a><br>
</blockquote>
<br></div>
These logs show 802.1x i.e. WPA-Enterprise authentication. You are using EAP-TTLS, with EAP-MD5 inner. The log is clear:<br>
<br>
[eap] EAP/md5<div class="im"><br>
[eap] processing type md5<br>
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication<br></div>
[eap] Handler failed in EAP/md5<br>
[eap] Failed in EAP select<br>
<br>
The "kerberos" module can only authenticate PAP, because it's an "oracle". See:<br>
<br>
<a href="http://deployingradius.com/documents/protocols/oracles.html" target="_blank">http://deployingradius.com/<u></u>documents/protocols/oracles.<u></u>html</a><br>
<br>
For these purposes, you may consider Kerberos to be equivalent to PAM.<div class="HOEnZb"><div class="h5"><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
</div></div></blockquote></div><br></div>