Jakob Oestergaard <jakob@unthought.net> wrote:
The kerberos module complained that no "User-Password" was sent, and therefore it couldn't try authenticating against the kerb. server.
Because: a) the server got EAP, and you told it to do kerberos or b) the tunneled authentication protocol wasn't PAP.
If I ran with Auth-Type = EAP, then the TTLS encapsulated PAP messages would be decoded correctly and I could see the supplied password in clear text.
So Kerberos should work, then.
If I ran with Auth-Type = Kerberos, only the User-Name would be decoded, no User-Password.
Huh? What do you mean by that? If you can see the clear-text password inside of the tunnel, then kerberos should work. Run it in debugging mode to see what it's doing. NOTHING else will solve the problem. Alan DeKok.