On Wed, Dec 14, 2016 at 09:36:18PM +0000, Henti Smith wrote:
However if I remove the local user and add "DEFAULT Auth-Type = Kerberos" it stops working.
Well yes, Auth-Type in the outer isn't Kerberos, it's EAP.
Documentation everywhere says don't touch Auth-Type yourself. It says that for a reason.
I did use the guide at https://www.eduroam.us/node/90 which did state to add it. I've removed it.
I'm not entirely familiar with using Kerberos, and it may be one where you need to set Auth-Type in certain circumstances. But you definitely don't want to be doing it there because the users file is read in both the outer and inner virtual servers, and the outer is EAP. You *might* need to do update control { Auth-Type := Kerberos } in your inner-tunnel virtual server authorize section. But if you're doing Kerberos for all PAP requests then you should be able to forget this and change the "pap" line into: Auth-Type PAP { krb5 } in the inner-tunnel authenticate section instead. i.e. if the pap module has recognised the auth request, then authenticate it with krb5.
When I then test without EAP, using
radtest kerberos-test secret localhost 0 testing123
It's working.
Because you set Auth-Type to Kerberos.
As per above, removed and now neither methods work.
This is why we ask for the full radiusd -X debug output.... Trying to debug blind is rather difficult and annoying. :(
eapol_test from the wpasupplicant project is your friend here for testing EAP-TTLS/PAP.
Thanks for the heads up, will try again. the rad_eap_test is a nagios wrapped around eapol_test.
OK, should be good then. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>