EAP-TTLS and Kerberos problem

Alan DeKok aland at ox.org
Tue Jan 24 22:04:00 CET 2006


Jakob Oestergaard <jakob at unthought.net> wrote:
> The kerberos module complained that no "User-Password" was sent, and
> therefore it couldn't try authenticating against the kerb. server.

  Because:

  a) the server got EAP, and you told it to do kerberos

  or

  b) the tunneled authentication protocol wasn't PAP.

> If I ran with Auth-Type = EAP, then the TTLS encapsulated PAP messages
> would be decoded correctly and I could see the supplied password in
> clear text.

  So Kerberos should work, then.

>  If I ran with Auth-Type = Kerberos, only the User-Name would be
> decoded, no User-Password.

  Huh?  What do you mean by that?

  If you can see the clear-text password inside of the tunnel, then
kerberos should work.

  Run it in debugging mode to see what it's doing.  NOTHING else will
solve the problem.

  Alan DeKok.




More information about the Freeradius-Users mailing list