802.1x & kerberos

tnt at kalik.co.yu tnt at kalik.co.yu
Thu Oct 11 21:57:28 CEST 2007


>rad_recv: Access-Request packet from host 127.0.0.1:49649, id=40, length=65
>         User-Name = "testuser at msu.edu"
>         User-Password = "XXXXXXXXXXXX"
>         NAS-IP-Address = 255.255.255.255
>         NAS-Port = 0
..
>     users: Matched entry DEFAULT at line 5     <=<=<=
>   modcall[authorize]: module "files" returns ok for request 33
..
>Sending Access-Accept of id 40 to 127.0.0.1 port 49649

>   rlm_eap: EAP packet type response id 1 length 18
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 4
>     users: Matched entry DEFAULT at line 10     <=<=<=
>   modcall[authorize]: module "files" returns ok for request 4
..
>modcall: leaving group authorize (returns updated) for request 4
>   rad_check_password:  Found Auth-Type Kerberos
>auth: type "Kerberos"
>   Processing the authenticate section of radiusd.conf
>modcall: entering group kerberos for request 4
>rlm_krb5: Attribute "User-Password" is required for authentication.
>   modcall[authenticate]: module "krb5" returns invalid for request 4
>modcall: leaving group kerberos (returns invalid) for request 4
>auth: Failed to validate the user.

Are those DEFAULT entries in users file setting Auth-Type to Kreberos?
Delete that. Also remove/comment out another DEFAULT entry setting
Auth-Type to System (somewhere in the middle of the users file) since
that is most likely why things work when you put user info in users file
and won't with Kerberos.

If you remove them, server will set the correct Auth-Type by itself.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list