Thanks a lot for the reply! On Tue, Jan 24, 2006 at 12:28:00PM -0500, Alan DeKok wrote:
Jakob Oestergaard <jakob@unthought.net> wrote again:
If I put this in my users file, EAP-TTLS works and FreeRADIUS correctly sees the PAP password from the laptop:
DEFAULT Auth-Type = EAP
You don't need to do that. The server will figure it out on it's own.
It seems to me that it doesn't - read on.
If I put this in my users file, Kerberos works but FreeRADIUS does not get the password from the notebook
That's backwards. The notebook sends the password (maybe) to FreeRADIUS.
Ah yes - my bad
So, is there a way to tell FreeRADIUS to both use EAP *and* attempt Kerberos authentication when it actually has a password?
Yes. Your configuration is correct.
Try running the server in debugging mode (as suggested in the README, FAQ, and INSTALL) to see why it's being rejected.
I did - unfortunately I didn't save the log output and I don't have a laptop handy right now to retry - will fix... The kerberos module complained that no "User-Password" was sent, and therefore it couldn't try authenticating against the kerb. server. If I ran with Auth-Type = EAP, then the TTLS encapsulated PAP messages would be decoded correctly and I could see the supplied password in clear text. If I ran with Auth-Type = Kerberos, only the User-Name would be decoded, no User-Password. I can send proper logs tomorrow - in case the above doesn't ring any bells :) Thanks, -- / jakob