RE: Freeradius-Users Digest, Vol 30, Issue 48
-- Walt Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438
-----Original Message-----
Message: 5 Date: Fri, 12 Oct 2007 10:45:11 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: 802.1x & kerberos To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <470F3417.8040308@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Lisa Besko wrote:
Thanks for the help so far. Part of the problem is we have probably tried so many things we probably messed something up along the way don't remember what is is.
Stop right there. If you don't keep track of what you're doing, you will NEVER get it to work.
Throw away everything you've done, and start with all of the default configuration files. Then, proceed with the following steps:
1) Configure EAP-TTLS i.e. the "tls" and "ttls" sub-sections of eap.conf
2) Put the following at the TOP of the "users" file:
bob Cleartext-Password := "bob"
3) Start the server in debug mode
4) validate that you can log in with "bob" using radtest (i.e. PAP)
5) validate that EAP-TTLS works with username/password "bob" and "bob"
6) Configure kerberos in radiusd.conf.
7) Delete the "bob" entry in the "users" file.
8) Replace it with:
DEFAULT Auth-Type = Kerberos
And it WILL work. ...
authenticate { Auth-Type PAP { pap }
Auth-Type kerberos { krb5 } }
If you don't list "eap" there, it won't work. Again, throw away your existing configuration files, and start from the default ones.
users: DEFAULT Freeradius-Proxied-To == 127.0.0.1 Fall-Through = Yes
That entry does nothing. I agree it does nothing for authentication, but this will be part of the solution to get accounting records based on the inner identity and not the outer with TTLS
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg02045.h... Has something changes in recent code that makes this unnecessary?
DEFAULT Auth-Type := Kerberos Fall-Through = 1
An earlier message in this thread said "Auth-Type = Kerberos". What you have above is different. PLEASE follow instructions carefully.
Alan DeKok.
Reynolds, Walter wrote: ...
DEFAULT Freeradius-Proxied-To == 127.0.0.1 Fall-Through = Yes That entry does nothing. I agree it does nothing for authentication, but this will be part of the solution to get accounting records based on the inner identity and not the outer with TTLS
I don't see why.
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg02045.h...
Which doesn't mention an entry like the one quoted above.
Has something changes in recent code that makes this unnecessary?
I would first like to know why that entry does anything. It certainly doesn't set the User-Name. So it doesn't have anything to do with fixing the anonymous accounting issue. Alan DeKok.
DEFAULT Freeradius-Proxied-To == 127.0.0.1 Fall-Through = Yes
That entry does nothing. I agree it does nothing for authentication, but this will be part of the solution to get accounting records based on the inner identity and not the outer with TTLS
Has something changes in recent code that makes this unnecessary?
No. You probably want: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}` Ivan Kalik Kalik Informatika ISP
participants (3)
-
Alan DeKok -
Reynolds, Walter -
tnt@kalik.co.yu