802.1x & kerberos
Alan DeKok
aland at deployingradius.com
Fri Oct 12 10:45:11 CEST 2007
Lisa Besko wrote:
> Thanks for the help so far. Part of the problem is we have probably
> tried so many things we probably messed something up along the way don't
> remember what is is.
Stop right there. If you don't keep track of what you're doing, you
will NEVER get it to work.
Throw away everything you've done, and start with all of the default
configuration files. Then, proceed with the following steps:
1) Configure EAP-TTLS
i.e. the "tls" and "ttls" sub-sections of eap.conf
2) Put the following at the TOP of the "users" file:
bob Cleartext-Password := "bob"
3) Start the server in debug mode
4) validate that you can log in with "bob" using radtest (i.e. PAP)
5) validate that EAP-TTLS works with username/password "bob" and "bob"
6) Configure kerberos in radiusd.conf.
7) Delete the "bob" entry in the "users" file.
8) Replace it with:
DEFAULT Auth-Type = Kerberos
And it WILL work.
...
> authenticate {
> Auth-Type PAP {
> pap
> }
>
> Auth-Type kerberos {
> krb5
> }
> }
If you don't list "eap" there, it won't work. Again, throw away your
existing configuration files, and start from the default ones.
> users:
> DEFAULT Freeradius-Proxied-To == 127.0.0.1
> Fall-Through = Yes
That entry does nothing.
> DEFAULT Auth-Type := Kerberos
> Fall-Through = 1
An earlier message in this thread said "Auth-Type = Kerberos". What
you have above is different. PLEASE follow instructions carefully.
Alan DeKok.
More information about the Freeradius-Users
mailing list