Hi all, using 1.1.7 (forgive me) I have EAP-TTLS working from the files module and I have krb5 athentication working with ldap authorization fro radtest, but when I try EAP-TTLS as an ldap user I fail to connect, and the sever never seems to try the krb5 module. Before I start pulling my hair out is even possible? http://lists.cistron.nl/pipermail/freeradius-users/2006-March/msg00055.html seems to suggest it is but my searches aren't turning up much specifics... Thanks, -Jon
Jonathan D. Proulx wrote:
using 1.1.7 (forgive me)
And we say... upgrade. :) It will make solving this problem easier.
I have EAP-TTLS working from the files module and I have krb5 athentication working with ldap authorization fro radtest, but when I try EAP-TTLS as an ldap user I fail to connect, and the sever never seems to try the krb5 module.
You will need to put something like this in the "users" file: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Kerberos
Before I start pulling my hair out is even possible?
Yes. IF the inner tunnel session contains a cleartext password. CHAP won't work, and neither will MS-CHAP. Alan DeKok.
On Wed, Oct 15, 2008 at 07:47:48AM +0200, Alan DeKok wrote: : You will need to put something like this in the "users" file: : :DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Kerberos : : :> Before I start pulling my hair out is even possible? : : Yes. IF the inner tunnel session contains a cleartext password. CHAP :won't work, and neither will MS-CHAP. Excellent, thanks also for your pointer to your page about eapol_test both for testing purposes and because the exaple had this critical line the got my client config right: phase2="auth=PAP" So now eapol_test and my linux wpa_supplicant laptop can connect either with LDAP/KRB5 users or users from the users file, that will get me through opening day Monday, and I might even beable to have the weekend off! Many Thanks, -Jon
participants (2)
-
Alan DeKok -
Jonathan D. Proulx