We also have this working with the below settings. However in running ver 1.1.6 (maybe others) we have found that there is some sort of problem that will cause the Freeradius server to crash. This seems to be tied to request with incorrect passwords as notated by the following in the log: Thu Oct 11 10:01:03 2007 : Auth: rlm_krb5: [UserName] krb5_g_i_t_w_p failed: Decrypt integrity check failed Has anyone else seen this or have suggestions for me on this.
Date: Thu, 11 Oct 2007 15:00:39 +0100 From: A.L.M.Buxey@lboro.ac.uk Subject: Re: 802.1x & kerberos To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <20071011140039.GA23584@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii
Hi,
It works w/o EAP. I can do a radtest with a valid userid and password on the kerberos server and get authorized (and not get authorized with bad information).
right
I can get EAP-TTLS to work if I put a user and a password in the radius users file but that's not what we want. We need the kerberos piece to work. I'd be happy to send some config files along if that would help. I feel like I'm missing something small that's so obvious no one has thought to document it.
no. you dont need to use the users file for the userid/password. you simply need to ensure that the krb5 module is in the Authorize section and that you have PAP enabled...and that you are using EAP-TTLS with PAP inner method.
so....your FR config needs at least the following configs...
radiusd.conf
in the authorize section
krb5 {
}
in the authenticate section (radiusd.conf for 1.1.x, sites- enabled/default for 2.x)
Auth-Type krb5 { krb5 }
you MAY configure krb5 in radiusd.... we havent found this actually necessary(!)
# krb5 { # keytab = /path/to/keytab # service_principal = name_of_principle # }
finally. if you are facing issues and you dont help with supplying a log file then please ensure that your RADIUS request isnt being b0rked by something in the users file eg
DEFAULT Auth-Type = System
you can at least change this to....
DEFAULT Auth-Type = krb5
just for checking(!!)
alan