Freeradius-Users Digest, Vol 30, Issue 48
Reynolds, Walter
waltr at umich.edu
Fri Oct 12 16:11:44 CEST 2007
--
Walt Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734) 615-9438
> -----Original Message-----
>
> Message: 5
> Date: Fri, 12 Oct 2007 10:45:11 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: 802.1x & kerberos
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <470F3417.8040308 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Lisa Besko wrote:
> > Thanks for the help so far. Part of the problem is we have probably
> > tried so many things we probably messed something up along the way
> don't
> > remember what is is.
>
> Stop right there. If you don't keep track of what you're doing, you
> will NEVER get it to work.
>
> Throw away everything you've done, and start with all of the default
> configuration files. Then, proceed with the following steps:
>
> 1) Configure EAP-TTLS
> i.e. the "tls" and "ttls" sub-sections of eap.conf
>
> 2) Put the following at the TOP of the "users" file:
>
> bob Cleartext-Password := "bob"
>
> 3) Start the server in debug mode
>
> 4) validate that you can log in with "bob" using radtest (i.e. PAP)
>
> 5) validate that EAP-TTLS works with username/password "bob" and "bob"
>
> 6) Configure kerberos in radiusd.conf.
>
> 7) Delete the "bob" entry in the "users" file.
>
> 8) Replace it with:
>
> DEFAULT Auth-Type = Kerberos
>
> And it WILL work.
> ...
> > authenticate {
> > Auth-Type PAP {
> > pap
> > }
> >
> > Auth-Type kerberos {
> > krb5
> > }
> > }
>
> If you don't list "eap" there, it won't work. Again, throw away your
> existing configuration files, and start from the default ones.
> > users:
> > DEFAULT Freeradius-Proxied-To == 127.0.0.1
> > Fall-Through = Yes
>
> That entry does nothing.
I agree it does nothing for authentication, but this will be part of the solution to get accounting records based on the inner identity and not the outer with TTLS
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg02045.html
Has something changes in recent code that makes this unnecessary?
>
> > DEFAULT Auth-Type := Kerberos
> > Fall-Through = 1
>
> An earlier message in this thread said "Auth-Type = Kerberos". What
> you have above is different. PLEASE follow instructions carefully.
>
> Alan DeKok.
>
>
More information about the Freeradius-Users
mailing list