EAP-TTLS and Kerberos problem
Jakob Oestergaard
jakob at unthought.net
Tue Jan 24 20:31:06 CET 2006
Thanks a lot for the reply!
On Tue, Jan 24, 2006 at 12:28:00PM -0500, Alan DeKok wrote:
> Jakob Oestergaard <jakob at unthought.net> wrote again:
> > If I put this in my users file, EAP-TTLS works and FreeRADIUS correctly
> > sees the PAP password from the laptop:
> >
> > DEFAULT Auth-Type = EAP
>
> You don't need to do that. The server will figure it out on it's own.
It seems to me that it doesn't - read on.
>
> > If I put this in my users file, Kerberos works but FreeRADIUS does not
> > get the password from the notebook
>
> That's backwards. The notebook sends the password (maybe) to
> FreeRADIUS.
Ah yes - my bad
>
> > So, is there a way to tell FreeRADIUS to both use EAP *and* attempt
> > Kerberos authentication when it actually has a password?
>
> Yes. Your configuration is correct.
>
> Try running the server in debugging mode (as suggested in the
> README, FAQ, and INSTALL) to see why it's being rejected.
I did - unfortunately I didn't save the log output and I don't have a
laptop handy right now to retry - will fix...
The kerberos module complained that no "User-Password" was sent, and
therefore it couldn't try authenticating against the kerb. server.
If I ran with Auth-Type = EAP, then the TTLS encapsulated PAP messages
would be decoded correctly and I could see the supplied password in
clear text. If I ran with Auth-Type = Kerberos, only the User-Name
would be decoded, no User-Password.
I can send proper logs tomorrow - in case the above doesn't ring any
bells :)
Thanks,
--
/ jakob
More information about the Freeradius-Users
mailing list