On 10/05/12 16:39, Jörg Herzinger wrote:
Hi,
Radius has been bugging me now for over a week and I just can't get it working with Kerberos over WLan. I have been trying around a lot but in
There's no such thing as "kerberos over WLAN" wireless authentication is either: * MAC address (no radius involved) * shared secret (no radius involved) * WPA-Enterprise i.e. 802.1x
root@donauauen42 ~ # radtest testing pass radius 1 averysecretsecret Sending Access-Request of id 166 to 192.168.43.118 port 1812 User-Name = "testing" User-Password = "pass" NAS-IP-Address = 192.168.42.42 NAS-Port = 1
This is a plain PAP request, and as such not representative of WPA-Enterprise. You should download the wpa_supplicant sources, and compile "eapol_test" to test 802.1x authentication.
Not working Kerberos debug log: http://pastie.org/3890159
These logs show 802.1x i.e. WPA-Enterprise authentication. You are using EAP-TTLS, with EAP-MD5 inner. The log is clear: [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select The "kerberos" module can only authenticate PAP, because it's an "oracle". See: http://deployingradius.com/documents/protocols/oracles.html For these purposes, you may consider Kerberos to be equivalent to PAM.