All, I have a number of NASs - wireless APs running hostapd. I am setting up a freeradius 2.1.10 server to control the authentication of username@net.example.com to the wireless network; the decision is to be made by a Kerberos server. The setup is not working as intended, which I think stems either from my misunderstanding of the protocols involved or of how to set up freeradius correctly. Or both. Later, all authentication requests of username@example.com (without the net.) are to be forwarded to another Radius server. There will likely be more services integrated in the same vein later, so I would like to branch out into separate virtual servers based on realm. My understanding is that the communication between a user@net.example.com and freeradius needs to involve EAP-TTLS, because of the cleartext password which is required to be passed on to kerberos. The required keytab is set up and configured correctly. modules/krb5 is set up accordingly. bootstrap in raddb/certs has been run to create self-signed certs. I have an entry in the users file: DEFAULT Realm == "net.example.com", Auth-Type = Kerberos The realm is set up like this: realm net.example.com { virtual_server = net.example.com } And the virtual server as well as the inner-tunnel have Auth-Type Kerberos { krb5 } in their authenticate section, right after Auth-Type PAP. Key changes in eap.conf: eap { default_eap_type = ttls ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } } Local tests succeed as follows: $ radtest -t pap thorsten@net.example.com pwd 127.0.0.1 0 testing123 $ radtest -t eap-md5 thorsten@net.example.com pwd 127.0.0.1 0 testing123 $ radtest -t pap thorsten@net.example.com pwd 127.0.0.1:18120 0 testing123 In each of these cases, the reason for success is successful communication with Kerberos, as exemplified by the following lines (and wrong kerberos passwords let authentication fail): Wed Feb 2 15:59:06 2011 : Info: Found Auth-Type = Kerberos Wed Feb 2 15:59:06 2011 : Info: # Executing group from file /etc/freeradius/sites-enabled/net.example.com Wed Feb 2 15:59:06 2011 : Info: +- entering group Kerberos {...} Wed Feb 2 15:59:06 2011 : Info: ++[krb5] returns ok Wed Feb 2 15:59:06 2011 : Auth: Login OK: [thorsten] (from client localhost port 0 via TLS tunnel) However, tests with eapol_test locally as well as with the actual access points fail: $ cat eap-ttls.conf network={ ssid="myssid" key_mgmt=WPA-EAP eap=TTLS identity="thorsten@net.example.com" password="pwd" phase2="auth=PAP" } $ eapol_test -c eap-ttls.conf -s testing123 produces: rad_recv: Access-Request packet from host 127.0.0.1 port 60596, id=0, length=172 User-Name = "thorsten@net.example.com" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 Calling-Station-Id ="02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020000250174686f727374656e406e65742e742d6c6162732e74752d6265726c696e2e6465 Message-Authenticator = 0x3f0be4354cfc77a6285a0ad074341101 Wed Feb 2 15:33:32 2011 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Feb 2 15:33:32 2011 : Info: +- entering group authorize {...} Wed Feb 2 15:33:32 2011 : Info: ++[preprocess] returns ok Wed Feb 2 15:33:32 2011 : Info: ++[chap] returns noop Wed Feb 2 15:33:32 2011 : Info: ++[mschap] returns noop Wed Feb 2 15:33:32 2011 : Info: ++[digest] returns noop Wed Feb 2 15:33:32 2011 : Info: [suffix] Looking up realm "net.example.com" for User-Name = "thorsten@net.example.com" Wed Feb 2 15:33:32 2011 : Info: [suffix] Found realm "net.example.com" Wed Feb 2 15:33:32 2011 : Info: [suffix] Adding Stripped-User-Name = "thorsten" Wed Feb 2 15:33:32 2011 : Info: [suffix] Adding Realm = "net.example.com" Wed Feb 2 15:33:32 2011 : Info: [suffix] Proxying request from user thorsten to realm net.example.com Wed Feb 2 15:33:32 2011 : Info: [suffix] Preparing to proxy authentication request to realm "net.example.com" Wed Feb 2 15:33:32 2011 : Info: ++[suffix] returns updated Wed Feb 2 15:33:32 2011 : Info: [eap] Request is supposed to be proxied to Realm net.example.com. Not doing EAP. Wed Feb 2 15:33:32 2011 : Info: ++[eap] returns noop Wed Feb 2 15:33:32 2011 : Info: [files] users: Matched entry DEFAULT at line 71 Wed Feb 2 15:33:32 2011 : Info: ++[files] returns ok Wed Feb 2 15:33:32 2011 : Info: ++[expiration] returns noop Wed Feb 2 15:33:32 2011 : Info: ++[logintime] returns noop Wed Feb 2 15:33:32 2011 : Info: ++[pap] returns noop Wed Feb 2 15:33:32 2011 : Info: WARNING: Empty pre-proxy section. Using default return values. Wed Feb 2 15:33:32 2011 : Info: >>> Sending proxied request internally to virtual server. Wed Feb 2 15:33:32 2011 : Info: server net.example.com { Wed Feb 2 15:33:32 2011 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/net.example.com Wed Feb 2 15:33:32 2011 : Info: +- entering group authorize {...} Wed Feb 2 15:33:32 2011 : Info: ++[preprocess] returns ok Wed Feb 2 15:33:32 2011 : Info: ++[digest] returns noop Wed Feb 2 15:33:32 2011 : Info: [suffix] Request already proxied. Ignoring. Wed Feb 2 15:33:32 2011 : Info: ++[suffix] returns ok Wed Feb 2 15:33:32 2011 : Info: [files] users: Matched entry DEFAULT at line 71 Wed Feb 2 15:33:32 2011 : Info: ++[files] returns ok Wed Feb 2 15:33:32 2011 : Info: ++[expiration] returns noop Wed Feb 2 15:33:32 2011 : Info: ++[logintime] returns noop Wed Feb 2 15:33:32 2011 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Feb 2 15:33:32 2011 : Info: ++[pap] returns noop Wed Feb 2 15:33:32 2011 : Info: Found Auth-Type = Kerberos Wed Feb 2 15:33:32 2011 : Info: # Executing group from file /etc/freeradius/sites-enabled/net.example.com Wed Feb 2 15:33:32 2011 : Info: +- entering group Kerberos {...} Wed Feb 2 15:33:32 2011 : Auth: rlm_krb5: Attribute "User-Password" is required for authentication. Wed Feb 2 15:33:32 2011 : Info: ++[krb5] returns invalid Wed Feb 2 15:33:32 2011 : Info: Failed to authenticate the user. [...] Apparently, the cleartext password does not get passed on. And I need to figure out why. This is were you come in, mailing list ;) Thank you in advance for suggestions. Cheers, t -- Thorsten Fischer, BOWL Project Administrator <thorsten@net.t-labs.tu-berlin.de> Technische Universität Berlin, FG INET, TEL16, 18th floor Ernst-Reuter-Platz 7, 10587 Berlin, Germany Tel: +49 30 835358542, Fax: +49 391 53478347