On Wed, Dec 14, 2016 at 04:29:04PM +0000, Henti Smith wrote:
Next I used the Edoroam freeradius for auth against kerberos guide on https://www.eduroam.us/node/90 to setup kerberos authentication.
That says use FreeRADIUS version 2. Use version 3 instead, v2 is EOL.
./rad_eap_test -H localhost -S testing123 -u kerberos-test -p secret -P 1812 -e PEAP -m WPA-EAP
Noting that's PEAP, not TTLS.
However if I remove the local user and add "DEFAULT Auth-Type = Kerberos" it stops working.
Well yes, Auth-Type in the outer isn't Kerberos, it's EAP. Documentation everywhere says don't touch Auth-Type yourself. It says that for a reason.
When I then test without EAP, using
radtest kerberos-test secret localhost 0 testing123
It's working.
Because you set Auth-Type to Kerberos.
What am I missing or not getting about getting them to work together to allow users to log into the wireless with existing user/pass but encrypted ?
Don't touch Auth-Type. FreeRADIUS can generally figure it out on its own. And if you're then still stuck, post a full debug output from 'radiusd -X' to the list. eapol_test from the wpasupplicant project is your friend here for testing EAP-TTLS/PAP. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>