Hello, I am trying kerberos authentication. I configured the radiusd.conf Auth-Type Kerberos { krb5 } .... krb5 { keytab = /etc/krb5.keytab #service_principal = } than in users DEFAULT Auth-Type := Kerberos But I am unable to succesfully authenticate and I get this error: rlm_krb5: Attribute "User-Password" is required for authentication. How could I Solve this problem? I would like the authentication via 802.1x to point to my kerberos server instead of a local radius users file authentication (this indeed works with EAP-TTLS). What am I doing wrong ? should I instead use PAM module and configure PAM to authenticate using kerberos ? thanks very much Rick
"Riccardo.Veraldi" <Riccardo.Veraldi@fi.infn.it> wrote:
But I am unable to succesfully authenticate and I get this error:
rlm_krb5: Attribute "User-Password" is required for authentication. ... I would like the authentication via 802.1x to point to my kerberos server instead of a local radius users file authentication (this indeed works with EAP-TTLS).
Because EAP-TTLS supplies a clear-text password in the TLS tunnel. The message you're getting is from a PEAP session (and no, you don't say that). PEAP uses MS-CHAP inside of the TLS tunnel, which means it's impossible to do kerberos authentication. MS-CHAP doesn't supply a clear-text password, so you can't use that, and kerberos doesn't understand MS-CHAP.
should I instead use PAM module and configure PAM to authenticate using kerberos ?
No. PAM doesn't understand MS-CHAP, either. What you want to do is impossible, because it's designed to be impossible by the people who created MS-CHAP and Kerberos. Alan DeKok.
Actually I used EAP-TTLS with EAP-MD5 inside the tunnel I think I should try PAP inside hte TLS tunnel isn't it ? I'll try Rick Alan DeKok wrote:
"Riccardo.Veraldi" <Riccardo.Veraldi@fi.infn.it> wrote:
But I am unable to succesfully authenticate and I get this error:
rlm_krb5: Attribute "User-Password" is required for authentication.
...
I would like the authentication via 802.1x to point to my kerberos server instead of a local radius users file authentication (this indeed works with EAP-TTLS).
Because EAP-TTLS supplies a clear-text password in the TLS tunnel.
The message you're getting is from a PEAP session (and no, you don't say that). PEAP uses MS-CHAP inside of the TLS tunnel, which means it's impossible to do kerberos authentication. MS-CHAP doesn't supply a clear-text password, so you can't use that, and kerberos doesn't understand MS-CHAP.
should I instead use PAM module and configure PAM to authenticate using kerberos ?
No. PAM doesn't understand MS-CHAP, either.
What you want to do is impossible, because it's designed to be impossible by the people who created MS-CHAP and Kerberos.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Riccardo.Veraldi