Hi,
It works w/o EAP. I can do a radtest with a valid userid and password on the kerberos server and get authorized (and not get authorized with bad information).
right
I can get EAP-TTLS to work if I put a user and a password in the radius users file but that's not what we want. We need the kerberos piece to work. I'd be happy to send some config files along if that would help. I feel like I'm missing something small that's so obvious no one has thought to document it.
no. you dont need to use the users file for the userid/password. you simply need to ensure that the krb5 module is in the Authorize section and that you have PAP enabled...and that you are using EAP-TTLS with PAP inner method. so....your FR config needs at least the following configs... radiusd.conf in the authorize section krb5 { } in the authenticate section (radiusd.conf for 1.1.x, sites-enabled/default for 2.x) Auth-Type krb5 { krb5 } you MAY configure krb5 in radiusd.... we havent found this actually necessary(!) # krb5 { # keytab = /path/to/keytab # service_principal = name_of_principle # } finally. if you are facing issues and you dont help with supplying a log file then please ensure that your RADIUS request isnt being b0rked by something in the users file eg DEFAULT Auth-Type = System you can at least change this to.... DEFAULT Auth-Type = krb5 just for checking(!!) alan