Re: Cross platform secure login on wpa2
On 15/12/2016 09:23, Henti Smith wrote:
That is correct. I just can't find the documentation to outline how to achieve this, hence using two documents each, detailing one component and ending up where I am.
If I can be pointed in a direction of some documentation that covers exactly that, it would help a great load.
OK. I don't have that I'm afraid. I have one pointer which may help. In your EAP outer config (the "default" virtual server) you may want something like this: eap { ok = return updated = return # << new } This is to ensure that any modules you put after this aren't invoked during an EAP exchange, except at the very end. The problem I found originally was with a config like this: eap { ok = return } mypolicy In "mypolicy" I was setting Auth-Type := reject in some circumstances, based on group membership. This was resulting in the user being rejected part-way through the EAP exchange, because (1) during one of the intermediate EAP steps, the eap module returns "updated" instead of "ok", and so it fell through to the next step of the default server; and (2) at that point, mypolicy was seeing the outer (anonymous) identity, not the true identity of the user. I'm afraid I don't know how to invoke the krb5 module. In the documentation at https://wiki.freeradius.org/modules/Rlm_krb5 it says: Auth-Type Kerberos { krb5 } However it's not at all clear to me how Auth-Type := Kerberos is set in the first place. You may have to do this explicitly in the inner tunnel virtual server, e.g. at the end of the authorize section put something like Auth-Type = Kerberos (the '=' operator will set it only if it's not already been set to something else already) Looking through the source: the rlm_krb5 module doesn't have an authorize hook which could do this. However the rlm_pap module appears to have functionality to set the auth type to its own name. Hence, if you create an instance of the rlm_pap module called "Kerberos" this may do what you want; but this is not mentioned in the rlm_pap manpage. Regards, Brian.
participants (1)
-
Brian Candler