Quoting Phil Mayers <p.mayers@imperial.ac.uk>:
... you should be using 2.2.0 or 2.2.1 when it's release, as the 2.1.10/11/12 releasea have a known security issue.
I'll be sure to install 2.2.x as soon as a Debian package becomes available for it, but for now I'm going to stick with 2.1.x.
I see from the (limited) debug output you've given that you're forcing Auth-Type in a "users" file. This is usually a mistake, and can cause confusing errors.
If I leave it out, 2.1.10 doesn't work for me. What follows is a description of how I modified my Freeradius server's default configuration in order to get it working for me on Debian squeeze with Kerberos support. After installing the freeradius and freeradius-krb5 packages along with some dependencies, this is what I did: 1.) Added to the end of /etc/freeradius/clients.conf: client 192.168.2.2 { secret = <long_secret_string_1> shortname = <my_ssid> } 2.) Modified attribute in /etc/freeradius/eap.conf, section 'eap': default_eap_type = ttls Modified attribute in subsection 'tls': private_key_password = <long_secret_string_2> 3.) Added this line to the end of /etc/freeradius/users: DEFAULT Auth-Type = krb5 4.) Changed these two lines in /etc/freeradius/modules/krb5: keytab = /etc/freeradius/freeradius.keytab service_principal = radius/<host.name> 5.) In /etc/freeradius/sites-enabled/inner-tunnel, added an extra line with 'krb5' below the line 'pam' (which is commented out) in section 'authenticate'. 6.) Installed and configured a Kerberos client on the Freeradius host. Of course, this included using kadmin to create a host principal, host/<host.name>, as well as a matching keytab (/etc/krb5.keytab) on the Freeradius host. 7.) Used the kadmin console again on the Freeradius host to create a radius service principal: radius/<host.name> 8.) Created a keytab for the radius service principal: /etc/freeradius/freeradius.keytab 9.) Generated a set of self-signed certificates that I copied to the /etc/freeradius/certs directory. When all of this works, 'freeradius -X' shows the following output: === Begin 2.1.10 success ================================ [eap] EAP packet type response id 6 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "jwinius" User-Password = "<my_password>" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "jwinius" User-Password = "<my_password>" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 207 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = krb5 # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} rlm_krb5: verify_krb_v5_tgt: host key not found : Permission denied ++[krb5] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [ttls] Got tunneled reply code 2 [ttls] Got tunneled Access-Accept [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.2.2 port 1025 MS-MPPE-Recv-Key = 0xab083ff864d0156503438d3bac157120ac64723522901d27a41564a100bb42a8 MS-MPPE-Send-Key = 0xb31e8a4a4cfe891d652a209aa8e14e5eaa460d3becda0c6cb7d23f5e181c159c EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "jwinius" === End 2.1.10 success ================================== On the other hand, it doesn't work if I remove the 'DEFAULT Auth-Type = krb5' in the users file. Without that line I get this result: === Begin 2.1.10 fail =================================== [eap] EAP packet type response id 6 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "jwinius" User-Password = "<my_password>" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "jwinius" User-Password = "<my_password>" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jwinius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jwinius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 0 to 192.168.2.2 port 1025 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 === End 2.1.10 fail ===================================== After upgrading to 2.1.12, what kills my setup is that Freeradius will no longer start up if I leave 'DEFAULT Auth-Type = krb5' enabled in the users file. But if I disable it, I get exactly the same failure output as I do from 2.1.10 when I disable that line in the users file. Cheers, Jaap