802.1x & kerberos
Lisa Besko
besko at msu.edu
Thu Oct 11 17:28:36 CEST 2007
Thanks for the help so far. Part of the problem is we have probably
tried so many things we probably messed something up along the way don't
remember what is is.
I think I have all the right stuff in the config files. I'll do a
little cut and paste here and maybe you will spot something I missed.
radius.conf (and all the eap parts are uncommented as well):
modules {
......
krb5 {
# keytab containing the key used by rlm_krb5
keytab = /usr/local/raddb/nmserv.keytab
# principal that is used by rlm_krb5
#service_principal = host/our.host.name at MSU.EDU
}
.....
pap {
auto_header = yes
}
........
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type kerberos {
krb5
}
}
-----------------------
eap.conf:
eap {
default_eap_type = ttls
md5 {
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
users:
DEFAULT Freeradius-Proxied-To == 127.0.0.1
Fall-Through = Yes
DEFAULT Auth-Type := Kerberos
Fall-Through = 1
Debug out put at the moment:
rlm_realm: Looking up realm "msu.edu" for User-Name = "testuser at msu.edu"
rlm_realm: Found realm "MSU.EDU"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm MSU.EDU
rlm_realm: Adding Realm = "MSU.EDU"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 1 length 18
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 10
modcall[authorize]: module "files" returns ok for request 4
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type Kerberos
auth: type "Kerberos"
Processing the authenticate section of radiusd.conf
modcall: entering group kerberos for request 4
rlm_krb5: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "krb5" returns invalid for request 4
modcall: leaving group kerberos (returns invalid) for request 4
auth: Failed to validate the user.
A.L.M.Buxey at lboro.ac.uk wrote:
> no. you dont need to use the users file for the userid/password.
> you simply need to ensure that the krb5 module is in the Authorize
> section and that you have PAP enabled...and that you are using EAP-TTLS
> with PAP inner method.
>
> so....your FR config needs at least the following configs...
>
> radiusd.conf
>
> in the authorize section
>
> krb5 {
>
> }
>
> in the authenticate section (radiusd.conf for 1.1.x, sites-enabled/default for 2.x)
>
> Auth-Type krb5 {
> krb5
> }
>
> you MAY configure krb5 in radiusd.... we havent found this actually
> necessary(!)
>
> # krb5 {
> # keytab = /path/to/keytab
> # service_principal = name_of_principle
> # }
>
>
>
> finally. if you are facing issues and you dont help with supplying
> a log file then please ensure that your RADIUS request isnt being b0rked
> by something in the users file eg
>
> DEFAULT Auth-Type = System
>
> you can at least change this to....
>
> DEFAULT Auth-Type = krb5
>
> just for checking(!!)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Lisa Besko
More information about the Freeradius-Users
mailing list