Dear list, I'm setting up FreeRADIUS so that I can authenticate WPA ("Enterprise") from a Linksys access point against Kerberos (via. RADIUS). I can get FreeRADIUS to authenticate against Kerberos (using radtest), and I can get FreeRADIUS to talk EPA-TTLS with the access point (or the WIFI notebook actually). However, I cannot get EPA-TTLS to work with Kerberos. If I put this in my users file, EAP-TTLS works and FreeRADIUS correctly sees the PAP password from the laptop: DEFAULT Auth-Type = EAP Fall-Through = 1 If I put this in my users file, Kerberos works but FreeRADIUS does not get the password from the notebook and therefore the krb5 module won't attempt authentication: DEFAULT Auth-Type = Kerberos So, is there a way to tell FreeRADIUS to both use EAP *and* attempt Kerberos authentication when it actually has a password? Any help will be much appreciated. Thank you very much -- / jakob
Jakob Oestergaard <jakob@unthought.net> wrote again:
If I put this in my users file, EAP-TTLS works and FreeRADIUS correctly sees the PAP password from the laptop:
DEFAULT Auth-Type = EAP
You don't need to do that. The server will figure it out on it's own.
If I put this in my users file, Kerberos works but FreeRADIUS does not get the password from the notebook
That's backwards. The notebook sends the password (maybe) to FreeRADIUS.
So, is there a way to tell FreeRADIUS to both use EAP *and* attempt Kerberos authentication when it actually has a password?
Yes. Your configuration is correct. Try running the server in debugging mode (as suggested in the README, FAQ, and INSTALL) to see why it's being rejected. Alan DeKok.
Thanks a lot for the reply! On Tue, Jan 24, 2006 at 12:28:00PM -0500, Alan DeKok wrote:
Jakob Oestergaard <jakob@unthought.net> wrote again:
If I put this in my users file, EAP-TTLS works and FreeRADIUS correctly sees the PAP password from the laptop:
DEFAULT Auth-Type = EAP
You don't need to do that. The server will figure it out on it's own.
It seems to me that it doesn't - read on.
If I put this in my users file, Kerberos works but FreeRADIUS does not get the password from the notebook
That's backwards. The notebook sends the password (maybe) to FreeRADIUS.
Ah yes - my bad
So, is there a way to tell FreeRADIUS to both use EAP *and* attempt Kerberos authentication when it actually has a password?
Yes. Your configuration is correct.
Try running the server in debugging mode (as suggested in the README, FAQ, and INSTALL) to see why it's being rejected.
I did - unfortunately I didn't save the log output and I don't have a laptop handy right now to retry - will fix... The kerberos module complained that no "User-Password" was sent, and therefore it couldn't try authenticating against the kerb. server. If I ran with Auth-Type = EAP, then the TTLS encapsulated PAP messages would be decoded correctly and I could see the supplied password in clear text. If I ran with Auth-Type = Kerberos, only the User-Name would be decoded, no User-Password. I can send proper logs tomorrow - in case the above doesn't ring any bells :) Thanks, -- / jakob
Jakob Oestergaard <jakob@unthought.net> wrote:
The kerberos module complained that no "User-Password" was sent, and therefore it couldn't try authenticating against the kerb. server.
Because: a) the server got EAP, and you told it to do kerberos or b) the tunneled authentication protocol wasn't PAP.
If I ran with Auth-Type = EAP, then the TTLS encapsulated PAP messages would be decoded correctly and I could see the supplied password in clear text.
So Kerberos should work, then.
If I ran with Auth-Type = Kerberos, only the User-Name would be decoded, no User-Password.
Huh? What do you mean by that? If you can see the clear-text password inside of the tunnel, then kerberos should work. Run it in debugging mode to see what it's doing. NOTHING else will solve the problem. Alan DeKok.
participants (2)
-
Alan DeKok -
Jakob Oestergaard