On Mon, 2007-10-15 at 12:22 -0400, Lisa Besko wrote:
Alan DeKok wrote:
DEFAULT Auth-Type := Kerberos Fall-Through = 1
An earlier message in this thread said "Auth-Type = Kerberos". What you have above is different.
An here in lies the problem. I just went back and tested this. I had been working with Walt Reynolds on the issue and we had shared some files and after that things started working with a Mac client but not with my Win XP client (one of the Xsupplicants we had installed had hosed the system so I couldn't tell when things had gotten better).
According to the man 5 users page:
Auth-Type = Kerberos is allowed for a server configuration variable such as Auth-Type, where as
Auth-Type := Kerberos (note the Colon before the equal sign) is a check item and replaces in the configuration items any attribute of the same name.
Having the colon there or not there made a very big difference in how it behaved.
Slight clarification: "Auth-Type = Kerberos" sets Auth-Type IF AND ONLY IF it's unset "Auth-Type := Kerberos" sets Auth-Type unconditionally The reason the former works and the latter fails is due to the following: authorize { preprocess eap files } authorize { eap Auth-Type Kerberos { krb5 } } ...with this in "users" name Auth-Type = Kerberos The flow through this is: 1. Access-Request/EAP-Message passes through authorize a. preprocess b. eap - sees EAP-Message, sets Auth-Type to EAP c. files - does not match (Auth-Type is already set) 2. Access-Request/EAP-Message passes through authenticate a. Auth-Type is "EAP", eap module runs 3. TTLS tunnel setup starts 4. Access-Challenge sent back to client 5. steps 1-4 repeated several times 6. EAP-TTLS tunnel established - the INNER packet is then looped back to the server as a PAP request 7. PAP request passes through authorize a. preprocess b. eap - does not match, no-op c. files - matches, sets Auth-Type to Kerberos 8. PAP request passes through authenticate a. krb5 called, authenticates PAP request 9. Access-Accept or Access-Reject sent back to TTLS session 10. EAP-TTLS tunnel sends Accept or Reject to client If you use "Auth-Type := Kerberos", this becomes: 1. EAP a. preprocess b. eap - Auth-Type set to EAP c. files - Auth-Type overriden with Kerberos 2. EAP (authenticate) a. Auth-Type is kerberos - krb5 module called b. krb5 module fails, since the packet is an EAP packet (not PAP) Hope that helps.