On Jun 23, 2020, at 2:42 AM, Marcelito de Guzman <marzzz21@gmail.com> wrote:
Good Day,
I'm trying to connect my FreeRadius server to my Kerberos Server.
As per the documentation, I've followed what was directed here:
Also created a soft link for the krb module from raddb/mods-available to raddb/mods-enabled. However, the FreeRadius Server doesn't seem to be contacting the Kerberos server. Is there anything else I need to setup?
Yes. You need to tell the "default" virtual server to use the kerberos module for authentication. Except...
Here's the `radiusd -X` logs:
Good...
(0) Received Access-Request Id 77 from 10.129.1.1:55055 to 10.129.2.19:1812 length 145 (0) Service-Type = Login-User (0) User-Name = "bob" (0) MS-CHAP-Challenge = 0x2fac175f8a7b17749c39b9d64e19f21d (0) MS-CHAP2-Response = 0x00002d2bf61426d63eb3c2e752936784be960000000000000000a55bc6e5c0583ea6f2b5f5672c38e0e6c1c8103487b6ac51
You can't use MS-CHAP with Kerberos. It's impossible. Kerberos is only compatible with PAP (i.e User-Password) authentication. Can you make the client send User-Password? If not, then you can't use Kerberos. If you can use User-Password, then: * list "krb5" in the "authenticate" section * add this to the bottom of "authorize", but before "pap" if (User-Password && !control:Auth-Type && !control:Proxy-To-Realm) { update control { Auth-Type := krb5 } } PAP authentication will then work. Alan DeKok.