On 02/02/11 16:29, Thorsten Fischer wrote:
All,
I have a number of NASs - wireless APs running hostapd. I am setting up a freeradius 2.1.10 server to control the authentication of username@net.example.com to the wireless network; the decision is to be made by a Kerberos server. The setup is not working as intended, which I think stems either from my misunderstanding of the protocols involved or of how to set up freeradius correctly. Or both.
Later, all authentication requests of username@example.com (without the net.) are to be forwarded to another Radius server. There will likely be more services integrated in the same vein later, so I would like to branch out into separate virtual servers based on realm.
My understanding is that the communication between a user@net.example.com and freeradius needs to involve EAP-TTLS, because of the cleartext password which is required to be passed on to kerberos. The required keytab is set up and configured correctly. modules/krb5 is set up accordingly. bootstrap in raddb/certs has been run to create self-signed certs.
I have an entry in the users file:
DEFAULT Realm == "net.example.com", Auth-Type = Kerberos
Yeah, that won't work; it is forcing the server to try Kerberos, even when the request is EAP. You want something like this in /etc/raddb/sites-enabled/inner-tunnel: authorize { ... ... # let the PAP module detect that it's PAP pap } authenticate { Auth-Type PAP { # ...but check PAP via kerberos krb5 } } ...or: authorize { ... # if we get here, set Auth-Type if (User-Password) { update control { # (unless a higher-up module has set it) Auth-Type = Kerberos } } } authenticate { Auth-Type Kerberos { krb5 } }