Hello, I could succesfully use EAP-TTLS with kerberos authentication. my problem now is that in this way also users who have a certificate can authenticate. I would like only users with kerberos credentials to being able to authenticate in my users file I have DEFAULT Auth-Type = Kerberos in this way any EAP-TLS with a valid certificate can authenticate while I do not want people to use the certificate, because the only method I wish to allow is login/password on kerberos server. There is a way to do it ? To allow ONLY kerberos via EAP-TTLS ? I Tryed with a Auth-Type := Reject but with no luck.. So what I did is this. I wrote this users file: "user1" Auth-Type = Kerberos DEFAULT Auth-Type := Reject in this case the user called user1 can authenticate with Kerberos credential and he cannot authenticate if it has a certificate, this as I Wantet but THIS WORKS only for user1 I want to do it for all users in the Kerberos database, and I do not like to write all the usernames in the users file. If I use DEFAULT instead of "user1" in the line above it does not work ... Please maybe there is a hint which could help me ? thanks Rick
"Riccardo.Veraldi" <Riccardo.Veraldi@fi.infn.it> wrote:
I would like only users with kerberos credentials to being able to authenticate
Then delete everything from the "authenticate" section, except for "eap" and "krb5". Also, ensure that nothing in the "authorize" section obtains a clear-text password for the user from a database. That guarantees: a) no password by which to authenticate someone b) therefore they must use kerberos c) they can't use anything other than kerberos Everyone else will have no way to get authenticated, and will be rejected. Alan DeKok.
Hello. sorry to disturb you. I disable all authentication modules in the authenticate session I left only: # kerberos Auth-Type Kerberos { krb5 } eap in the authorize sezzion of radiusd.conf I disabled everything and I left only eap and files in this way Kerberos authentication + ldap authorization works. I want ONLY this method to work, but also EAP-TLS with certificates works, while I want to disable it for users. If I remove eap from the authorizatin section, I prefent certificate authentication to work but also Kerberos authentication will not work. in my users file I have the string DEFAULT Auth-Type = Kerberos How I can solve this problem ? I tryed in all possible qays I Cannot disable EAP-TLS with certificates if I want EAP-TTLS to work with kerberos and ldap. might you help me ? thanks Rick Alan DeKok wrote:
"Riccardo.Veraldi" <Riccardo.Veraldi@fi.infn.it> wrote:
I would like only users with kerberos credentials to being able to authenticate
Then delete everything from the "authenticate" section, except for "eap" and "krb5". Also, ensure that nothing in the "authorize" section obtains a clear-text password for the user from a database.
That guarantees:
a) no password by which to authenticate someone b) therefore they must use kerberos c) they can't use anything other than kerberos
Everyone else will have no way to get authenticated, and will be rejected.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Riccardo.Veraldi" <Riccardo.Veraldi@fi.infn.it> wrote:
I want ONLY this method to work, but also EAP-TLS with certificates works, while I want to disable it for users.
If you haven't made drastic changes to the "authorize" section, the following will work if you put it in the "users" file. #-- DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject #-- If you have made drastic changes to the "authorize" section, my suggestion is "don't". Alan DeKok.
participants (2)
-
Alan DeKok -
Riccardo.Veraldi