On 14 December 2016 at 16:46, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Dec 14, 2016 at 04:29:04PM +0000, Henti Smith wrote:
Next I used the Edoroam freeradius for auth against kerberos guide on https://www.eduroam.us/node/90 to setup kerberos authentication.
That says use FreeRADIUS version 2. Use version 3 instead, v2 is EOL.
Hi Matthew, I'll test with version 3 tomorrow.
./rad_eap_test -H localhost -S testing123 -u kerberos-test -p secret -P 1812 -e PEAP -m WPA-EAP
Noting that's PEAP, not TTLS.
With -e TTLS, same result.
However if I remove the local user and add "DEFAULT Auth-Type = Kerberos" it stops working.
Well yes, Auth-Type in the outer isn't Kerberos, it's EAP.
Documentation everywhere says don't touch Auth-Type yourself. It says that for a reason.
I did use the guide at https://www.eduroam.us/node/90 which did state to add it. I've removed it.
When I then test without EAP, using
radtest kerberos-test secret localhost 0 testing123
It's working.
Because you set Auth-Type to Kerberos.
As per above, removed and now neither methods work.
What am I missing or not getting about getting them to work together to allow users to log into the wireless with existing user/pass but encrypted ?
Don't touch Auth-Type. FreeRADIUS can generally figure it out on its own.
And if you're then still stuck, post a full debug output from 'radiusd -X' to the list.
eapol_test from the wpasupplicant project is your friend here for testing EAP-TTLS/PAP.
Thanks for the heads up, will try again. the rad_eap_test is a nagios wrapped around eapol_test. Henti -- --