On Feb 9, 2009, at 4:05 PM, sth wrote:
I'd like to integrate the function of an older RADIUS server (FR 1.0.1) into the new one (FR 2.1.3), which handles 802.1X. The old FR box handles authentication for a VPN concentrator. It has some static users defined, then defaults to PAM (which, in this context, means krb5). Krb5 works fine on the FR 2.1.3 config if I append:
DEFAULT Auth-Type := Kerberos
to the users file. Doing so breaks all tunneled EAP methods (which reading leads me to believe is predictable). Using PAM gives similar results, and I figured it better to use FR's native krb5 support anyway.
I started down the path indicated in a seemingly-similar thread[3] from February of 2008, but my understanding of FR is still not good enough that I can parlay those (mostly FR1.x) instructions into a valid FR2.x config, in spite of Phil Mayers' general comments re: using 2.x's virtual server functionality.
Are EAP and DEFAULTs mutually-exclusive? If not, what's the most effective way to approach this? Your thoughts on the matter are appreciated. I apologize in advance if there's already a wiki page or thread that deals with this, and accept links to such posts with great gusto. :-)
One way would be to not manually set Auth-Type in the users file and instead use unlang: authorize { ... update control { Auth-Type = Kerberos } } This would set Auth-Type to Kerberos if and only if no other modules in the authorize section (such as files or eap) set Auth-Type. See 'man unlang' for more details. Mike Loosbrock Bethel University Network Services 651-638-6723