EAP-TTLS and Kerberos problem

Jakob Oestergaard jakob at unthought.net
Tue Jan 24 20:31:06 CET 2006


Thanks a lot for the reply!

On Tue, Jan 24, 2006 at 12:28:00PM -0500, Alan DeKok wrote:
> Jakob Oestergaard <jakob at unthought.net> wrote again:
> > If I put this in my users file, EAP-TTLS works and FreeRADIUS correctly
> > sees the PAP password from the laptop:
> > 
> > DEFAULT Auth-Type = EAP
> 
>   You don't need to do that.  The server will figure it out on it's own.

It seems to me that it doesn't - read on.

> 
> > If I put this in my users file, Kerberos works but FreeRADIUS does not
> > get the password from the notebook
> 
>   That's backwards.  The notebook sends the password (maybe) to
> FreeRADIUS.

Ah yes - my bad

> 
> > So, is there a way to tell FreeRADIUS to both use EAP *and* attempt
> > Kerberos authentication when it actually has a password?
> 
>   Yes.  Your configuration is correct.
> 
>   Try running the server in debugging mode (as suggested in the
> README, FAQ, and INSTALL) to see why it's being rejected.

I did - unfortunately I didn't save the log output and I don't have a
laptop handy right now to retry - will fix...

The kerberos module complained that no "User-Password" was sent, and
therefore it couldn't try authenticating against the kerb. server.

If I ran with Auth-Type = EAP, then the TTLS encapsulated PAP messages
would be decoded correctly and I could see the supplied password in
clear text.  If I ran with Auth-Type = Kerberos, only the User-Name
would be decoded, no User-Password.

I can send proper logs tomorrow - in case the above doesn't ring any
bells    :)

Thanks,

-- 

 / jakob




More information about the Freeradius-Users mailing list