freeradius Kerberos config in users file ?
Hello, I have just a question. if I configure freeradius2 with krb5 authentication and I use the following users file, the authentication works using radtest DEFAULT Auth-Type := Kerberos but it fails using EAP (EAP-TTLS) telling USer-PAssword attribute is missing... rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Kerberos +- entering group Kerberos {...} rlm_krb5: Attribute "User-Password" is required for authentication. ++[krb5] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> veraldi@cnaf.infn.it attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 95 to 192.168.252.17 port 1645 Waking up in 2.9 seconds. if I instead use the following users file: DEFAULT Auth-Type = Kerberos both radtest and EAP authentication works, and thtat's good, but why ? thanks Rick
Riccardo Veraldi wrote:
if I configure freeradius2 with krb5 authentication and I use the following users file, the authentication works using radtest
DEFAULT Auth-Type := Kerberos
See "man users" about the ":=" operator. This *forces* Kerberos authentication. See also my web page on password compatibility. Kerberos isn't on there, but it would look the same as the row showing CHAP. http://deployingradius.com/documents/protocols/compatibility.html
but it fails using EAP (EAP-TTLS) telling USer-PAssword attribute is missing...
Yes... Kerberos takes a password entered by the user, and does kerberos magic with it. There is *no* password in EAP. So Kerberos doesn't work.
if I instead use the following users file:
DEFAULT Auth-Type = Kerberos
both radtest and EAP authentication works, and thtat's good, but why ?
As always, read the debugging output. It *tells* you why. In short, the "=" operator says "try Kerberos, but ONLY if nothing else is supposed to authenticate the user". This means that the EAP module handles EAP, as it's supposed to. The "inner-tunnel" virtual server then gets a password *inside* of the TTLS tunnel. That password is used for kerberos authentication. *Please* go read the debug output and compare it to the above description. While it's complicated, it is the best way to understand what's going on. Alan DeKok.
thank you, now it is much more clear to me Rick Alan DeKok wrote:
Riccardo Veraldi wrote:
if I configure freeradius2 with krb5 authentication and I use the following users file, the authentication works using radtest
DEFAULT Auth-Type := Kerberos
See "man users" about the ":=" operator. This *forces* Kerberos authentication.
See also my web page on password compatibility. Kerberos isn't on there, but it would look the same as the row showing CHAP.
http://deployingradius.com/documents/protocols/compatibility.html
but it fails using EAP (EAP-TTLS) telling USer-PAssword attribute is missing...
Yes... Kerberos takes a password entered by the user, and does kerberos magic with it. There is *no* password in EAP. So Kerberos doesn't work.
if I instead use the following users file:
DEFAULT Auth-Type = Kerberos
both radtest and EAP authentication works, and thtat's good, but why ?
As always, read the debugging output. It *tells* you why.
In short, the "=" operator says "try Kerberos, but ONLY if nothing else is supposed to authenticate the user".
This means that the EAP module handles EAP, as it's supposed to. The "inner-tunnel" virtual server then gets a password *inside* of the TTLS tunnel. That password is used for kerberos authentication.
*Please* go read the debug output and compare it to the above description. While it's complicated, it is the best way to understand what's going on.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Riccardo Veraldi