kerberos authentication
Riccardo.Veraldi
Riccardo.Veraldi at fi.infn.it
Thu Jan 12 09:28:27 CET 2006
Actually I used EAP-TTLS with EAP-MD5 inside the tunnel
I think I should try PAP inside hte TLS tunnel isn't it ?
I'll try
Rick
Alan DeKok wrote:
>"Riccardo.Veraldi" <Riccardo.Veraldi at fi.infn.it> wrote:
>
>
>>But I am unable to succesfully authenticate
>>and I get this error:
>>
>>rlm_krb5: Attribute "User-Password" is required for authentication.
>>
>>
>...
>
>
>>I would like the authentication via 802.1x to point to my kerberos server
>>instead of a local radius users file authentication (this indeed works
>>with EAP-TTLS).
>>
>>
>
> Because EAP-TTLS supplies a clear-text password in the TLS tunnel.
>
> The message you're getting is from a PEAP session (and no, you don't
>say that). PEAP uses MS-CHAP inside of the TLS tunnel, which means
>it's impossible to do kerberos authentication. MS-CHAP doesn't supply
>a clear-text password, so you can't use that, and kerberos doesn't
>understand MS-CHAP.
>
>
>
>>should I instead use PAM module and configure PAM
>>to authenticate using kerberos ?
>>
>>
>
> No. PAM doesn't understand MS-CHAP, either.
>
> What you want to do is impossible, because it's designed to be
>impossible by the people who created MS-CHAP and Kerberos.
>
> Alan DeKok.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060112/1fa3f58c/attachment.html>
More information about the Freeradius-Users
mailing list