802.1x & kerberos
Kenneth Marshall
ktm at rice.edu
Thu Oct 11 17:37:18 CEST 2007
On Thu, Oct 11, 2007 at 11:28:36AM -0400, Lisa Besko wrote:
> Thanks for the help so far. Part of the problem is we have probably tried
> so many things we probably messed something up along the way don't remember
> what is is.
>
> I think I have all the right stuff in the config files. I'll do a little
> cut and paste here and maybe you will spot something I missed.
>
> radius.conf (and all the eap parts are uncommented as well):
>
> modules {
> ......
> krb5 {
> # keytab containing the key used by rlm_krb5
> keytab = /usr/local/raddb/nmserv.keytab
>
> # principal that is used by rlm_krb5
> #service_principal = host/our.host.name at MSU.EDU
> }
> .....
>
> pap {
> auto_header = yes
> }
> ........
> }
>
> authenticate {
> Auth-Type PAP {
> pap
> }
>
> Auth-Type kerberos {
> krb5
> }
> }
>
I think this should be Kerberos and not kerberos.
Ken
>
> -----------------------
> eap.conf:
> eap {
> default_eap_type = ttls
> md5 {
> }
>
> tls {
> private_key_password = whatever
> private_key_file = ${raddbdir}/certs/cert-srv.pem
> certificate_file = ${raddbdir}/certs/cert-srv.pem
> CA_file = ${raddbdir}/certs/demoCA/cacert.pem
> dh_file = ${raddbdir}/certs/dh
> random_file = ${raddbdir}/certs/random
> }
>
> ttls {
>
> default_eap_type = md5
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> }
> }
>
>
>
> users:
> DEFAULT Freeradius-Proxied-To == 127.0.0.1
> Fall-Through = Yes
>
> DEFAULT Auth-Type := Kerberos
> Fall-Through = 1
>
>
> Debug out put at the moment:
>
> rlm_realm: Looking up realm "msu.edu" for User-Name = "testuser at msu.edu"
> rlm_realm: Found realm "MSU.EDU"
> rlm_realm: Adding Stripped-User-Name = "testuser"
> rlm_realm: Proxying request from user testuser to realm MSU.EDU
> rlm_realm: Adding Realm = "MSU.EDU"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 4
> rlm_eap: EAP packet type response id 1 length 18
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 4
> users: Matched entry DEFAULT at line 10
> modcall[authorize]: module "files" returns ok for request 4
> rlm_pap: WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> modcall[authorize]: module "pap" returns noop for request 4
> modcall: leaving group authorize (returns updated) for request 4
> rad_check_password: Found Auth-Type Kerberos
> auth: type "Kerberos"
> Processing the authenticate section of radiusd.conf
> modcall: entering group kerberos for request 4
> rlm_krb5: Attribute "User-Password" is required for authentication.
> modcall[authenticate]: module "krb5" returns invalid for request 4
> modcall: leaving group kerberos (returns invalid) for request 4
> auth: Failed to validate the user.
>
>
> A.L.M.Buxey at lboro.ac.uk wrote:
>
>> no. you dont need to use the users file for the userid/password. you
>> simply need to ensure that the krb5 module is in the Authorize
>> section and that you have PAP enabled...and that you are using EAP-TTLS
>> with PAP inner method.
>> so....your FR config needs at least the following configs...
>> radiusd.conf
>> in the authorize section
>> krb5 {
>> }
>> in the authenticate section (radiusd.conf for 1.1.x, sites-enabled/default
>> for 2.x)
>> Auth-Type krb5 {
>> krb5
>> }
>> you MAY configure krb5 in radiusd.... we havent found this actually
>> necessary(!)
>> # krb5 {
>> # keytab = /path/to/keytab
>> # service_principal = name_of_principle
>> # }
>> finally. if you are facing issues and you dont help with supplying a log
>> file then please ensure that your RADIUS request isnt being b0rked
>> by something in the users file eg
>> DEFAULT Auth-Type = System
>> you can at least change this to....
>> DEFAULT Auth-Type = krb5
>> just for checking(!!)
>> alan
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
> --
> Lisa Besko
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list