Riccardo Veraldi wrote:
if I configure freeradius2 with krb5 authentication and I use the following users file, the authentication works using radtest
DEFAULT Auth-Type := Kerberos
See "man users" about the ":=" operator. This *forces* Kerberos authentication. See also my web page on password compatibility. Kerberos isn't on there, but it would look the same as the row showing CHAP. http://deployingradius.com/documents/protocols/compatibility.html
but it fails using EAP (EAP-TTLS) telling USer-PAssword attribute is missing...
Yes... Kerberos takes a password entered by the user, and does kerberos magic with it. There is *no* password in EAP. So Kerberos doesn't work.
if I instead use the following users file:
DEFAULT Auth-Type = Kerberos
both radtest and EAP authentication works, and thtat's good, but why ?
As always, read the debugging output. It *tells* you why. In short, the "=" operator says "try Kerberos, but ONLY if nothing else is supposed to authenticate the user". This means that the EAP module handles EAP, as it's supposed to. The "inner-tunnel" virtual server then gets a password *inside* of the TTLS tunnel. That password is used for kerberos authentication. *Please* go read the debug output and compare it to the above description. While it's complicated, it is the best way to understand what's going on. Alan DeKok.