802.1x & kerberos

Alan DeKok aland at deployingradius.com
Fri Oct 12 10:45:11 CEST 2007

Lisa Besko wrote:
> Thanks for the help so far.  Part of the problem is we have probably
> tried so many things we probably messed something up along the way don't
> remember what is is.

  Stop right there.  If you don't keep track of what you're doing, you
will NEVER get it to work.

  Throw away everything you've done, and start with all of the default
configuration files.  Then, proceed with the following steps:

1) Configure EAP-TTLS
   i.e. the "tls" and "ttls" sub-sections of eap.conf

2) Put the following at the TOP of the "users" file:

bob	Cleartext-Password := "bob"

3) Start the server in debug mode

4) validate that you can log in with "bob" using radtest (i.e. PAP)

5) validate that EAP-TTLS works with username/password "bob" and "bob"

6) Configure kerberos in radiusd.conf.

7) Delete the "bob" entry in the "users" file.

8) Replace it with:

DEFAULT Auth-Type = Kerberos

  And it WILL work.
> authenticate {
>         Auth-Type PAP {
>                 pap
>         }
> Auth-Type kerberos {
>            krb5
>         }
> }

  If you don't list "eap" there, it won't work.  Again, throw away your
existing configuration files, and start from the default ones.
> users:
> DEFAULT         Freeradius-Proxied-To ==
>                  Fall-Through = Yes

  That entry does nothing.

> DEFAULT Auth-Type := Kerberos
>         Fall-Through = 1

  An earlier message in this thread said "Auth-Type = Kerberos".  What
you have above is different.  PLEASE follow instructions carefully.

  Alan DeKok.

More information about the Freeradius-Users mailing list