802.1x & kerberos

Lisa Besko besko at msu.edu
Thu Oct 11 18:21:58 CEST 2007 

Having made no changes to the config but using radtest from the command 
line this is the debug output using kerberos but not EAP:

rad_recv: Access-Request packet from host 127.0.0.1:49649, id=40, length=65
         User-Name = "testuser at msu.edu"
         User-Password = "XXXXXXXXXXXX"
         NAS-IP-Address = 255.255.255.255
         NAS-Port = 0
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 33
   modcall[authorize]: module "preprocess" returns ok for request 33
   modcall[authorize]: module "chap" returns noop for request 33
   modcall[authorize]: module "mschap" returns noop for request 33
     rlm_realm: Looking up realm "msu.edu" for User-Name = 
"testuser at msu.edu"
     rlm_realm: Found realm "MSU.EDU"
     rlm_realm: Adding Stripped-User-Name = "testuser"
     rlm_realm: Proxying request from user testuser to realm MSU.EDU
     rlm_realm: Adding Realm = "MSU.EDU"
     rlm_realm: Authentication realm is LOCAL.
   modcall[authorize]: module "suffix" returns noop for request 33
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 33
     users: Matched entry DEFAULT at line 5
   modcall[authorize]: module "files" returns ok for request 33
rlm_pap: WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
   modcall[authorize]: module "pap" returns noop for request 33
modcall: leaving group authorize (returns ok) for request 33
   rad_check_password:  Found Auth-Type Kerberos
auth: type "Kerberos"
   Processing the authenticate section of radiusd.conf
modcall: entering group kerberos for request 33
rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or directory
   modcall[authenticate]: module "krb5" returns ok for request 33
modcall: leaving group kerberos (returns ok) for request 33
Sending Access-Accept of id 40 to 127.0.0.1 port 49649
Finished request 33
Going to the next request

====================================================

This is from a message I posted earlier with kerberos and EAP.  I hope 
that's enough of it for you since my client started acting up and now I 
have to beat on it a bit.:


rlm_realm: Looking up realm "msu.edu" for User-Name = "testuser at msu.edu"
     rlm_realm: Found realm "MSU.EDU"
     rlm_realm: Adding Stripped-User-Name = "testuser"
     rlm_realm: Proxying request from user testuser to realm MSU.EDU
     rlm_realm: Adding Realm = "MSU.EDU"
     rlm_realm: Authentication realm is LOCAL.
   modcall[authorize]: module "suffix" returns noop for request 4
   rlm_eap: EAP packet type response id 1 length 18
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 4
     users: Matched entry DEFAULT at line 10
   modcall[authorize]: module "files" returns ok for request 4
rlm_pap: WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
   modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
   rad_check_password:  Found Auth-Type Kerberos
auth: type "Kerberos"
   Processing the authenticate section of radiusd.conf
modcall: entering group kerberos for request 4
rlm_krb5: Attribute "User-Password" is required for authentication.
   modcall[authenticate]: module "krb5" returns invalid for request 4
modcall: leaving group kerberos (returns invalid) for request 4
auth: Failed to validate the user.


=========================================
tnt at kalik.co.yu wrote:
> Can you post the debug (radiusd -X) for the same user with and without
> EAP (using Kerberos - no users file entry).
> 
> Ivan Kalik
> kalik Informatika ISP
> 
> 
> Dana 11/10/2007, "Lisa Besko" <besko at msu.edu> piše:
> 
>> It works w/o EAP.  I can do a radtest with a valid userid and password 
>> on the kerberos server and get authorized (and not get authorized with 
>> bad information).
>>
>> I can get EAP-TTLS to work if I put a user and a password in the radius 
>> users file but that's not what we want.  We need the kerberos piece to 
>> work.  I'd be happy to send some config files along if that would help. 
>>  I feel like I'm missing something small that's so obvious no one has 
>> thought to document it.
>>
>> We can get various parts working at any given moment with kerberos but 
>> we can't get it all working.
>>
>> Thanks,
>>
>> LB
>>
>> tnt at kalik.co.yu wrote:
>>> It should be. Use EAP-TTLS/PAP and configure kerberos module in
>>> radiusd.conf:
>>>
>>> http://wiki.freeradius.org/index.php/Rlm_krb5
>>>
>>> Make sure that it works without EAP first.
>>>
>>> Ivan Kalik
>>> Kalik Informatika ISP
>>>
>>>
>>> Dana 10/10/2007, "Lisa Besko" <besko at msu.edu> piše:
>>>
>>>> Is there a way to do 802.1x with Kerberos authentication using Freeradius?
>>>>
>>>> If their is can anyone point me in the right direction?
>>>>
>>>> We have been trying eap-ttls most recently with very little luck but
>>>> everything I have read says this should be possible.  What are we missing?
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Lisa Besko
Systems Administrator			517-432-7317
Network Management			besko at msu.edu
	Academic Computing & Network Services

More information about the Freeradius-Users mailing list