802.1x & kerberos
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Thu Oct 11 16:00:39 CEST 2007
Hi,
> It works w/o EAP. I can do a radtest with a valid userid and password
> on the kerberos server and get authorized (and not get authorized with
> bad information).
right
> I can get EAP-TTLS to work if I put a user and a password in the radius
> users file but that's not what we want. We need the kerberos piece to
> work. I'd be happy to send some config files along if that would help.
> I feel like I'm missing something small that's so obvious no one has
> thought to document it.
no. you dont need to use the users file for the userid/password.
you simply need to ensure that the krb5 module is in the Authorize
section and that you have PAP enabled...and that you are using EAP-TTLS
with PAP inner method.
so....your FR config needs at least the following configs...
radiusd.conf
in the authorize section
krb5 {
}
in the authenticate section (radiusd.conf for 1.1.x, sites-enabled/default for 2.x)
Auth-Type krb5 {
krb5
}
you MAY configure krb5 in radiusd.... we havent found this actually
necessary(!)
# krb5 {
# keytab = /path/to/keytab
# service_principal = name_of_principle
# }
finally. if you are facing issues and you dont help with supplying
a log file then please ensure that your RADIUS request isnt being b0rked
by something in the users file eg
DEFAULT Auth-Type = System
you can at least change this to....
DEFAULT Auth-Type = krb5
just for checking(!!)
alan
More information about the Freeradius-Users
mailing list