On Thu, Oct 11, 2007 at 11:28:36AM -0400, Lisa Besko wrote:
Thanks for the help so far. Part of the problem is we have probably tried so many things we probably messed something up along the way don't remember what is is.
I think I have all the right stuff in the config files. I'll do a little cut and paste here and maybe you will spot something I missed.
radius.conf (and all the eap parts are uncommented as well):
modules { ...... krb5 { # keytab containing the key used by rlm_krb5 keytab = /usr/local/raddb/nmserv.keytab
# principal that is used by rlm_krb5 #service_principal = host/our.host.name@MSU.EDU } .....
pap { auto_header = yes } ........ }
authenticate { Auth-Type PAP { pap }
Auth-Type kerberos { krb5 } }
I think this should be Kerberos and not kerberos. Ken
----------------------- eap.conf: eap { default_eap_type = ttls md5 { }
tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random }
ttls {
default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } }
users: DEFAULT Freeradius-Proxied-To == 127.0.0.1 Fall-Through = Yes
DEFAULT Auth-Type := Kerberos Fall-Through = 1
Debug out put at the moment:
rlm_realm: Looking up realm "msu.edu" for User-Name = "testuser@msu.edu" rlm_realm: Found realm "MSU.EDU" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm MSU.EDU rlm_realm: Adding Realm = "MSU.EDU" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 1 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 10 modcall[authorize]: module "files" returns ok for request 4 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type Kerberos auth: type "Kerberos" Processing the authenticate section of radiusd.conf modcall: entering group kerberos for request 4 rlm_krb5: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "krb5" returns invalid for request 4 modcall: leaving group kerberos (returns invalid) for request 4 auth: Failed to validate the user.
A.L.M.Buxey@lboro.ac.uk wrote:
no. you dont need to use the users file for the userid/password. you simply need to ensure that the krb5 module is in the Authorize section and that you have PAP enabled...and that you are using EAP-TTLS with PAP inner method. so....your FR config needs at least the following configs... radiusd.conf in the authorize section krb5 { } in the authenticate section (radiusd.conf for 1.1.x, sites-enabled/default for 2.x) Auth-Type krb5 { krb5 } you MAY configure krb5 in radiusd.... we havent found this actually necessary(!) # krb5 { # keytab = /path/to/keytab # service_principal = name_of_principle # } finally. if you are facing issues and you dont help with supplying a log file then please ensure that your RADIUS request isnt being b0rked by something in the users file eg DEFAULT Auth-Type = System you can at least change this to.... DEFAULT Auth-Type = krb5 just for checking(!!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Lisa Besko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html