802.1x & kerberos

Phil Mayers p.mayers at imperial.ac.uk
Tue Oct 16 15:32:29 CEST 2007 

On Mon, 2007-10-15 at 12:22 -0400, Lisa Besko wrote:
> Alan DeKok wrote:
> 
> >> DEFAULT Auth-Type := Kerberos
> >>         Fall-Through = 1
> > 
> >   An earlier message in this thread said "Auth-Type = Kerberos".  What
> > you have above is different.  
> 
> An here in lies the problem.  I just went back and tested this.  I had 
> been working with Walt Reynolds on the issue and we had shared some 
> files and after that things started working with a Mac client but not 
> with my Win XP client (one of the Xsupplicants we had installed had 
> hosed the system so I couldn't tell when things had gotten better).
> 
> According to the man 5 users page:
> 
> Auth-Type = Kerberos is allowed for a server configuration variable such 
> as Auth-Type, where as
> 
> Auth-Type := Kerberos (note the Colon before the equal sign) is a check 
> item and replaces in the configuration items any attribute of the same name.
> 
> Having the colon there or not there made a very big difference in how it 
> behaved.

Slight clarification:

"Auth-Type = Kerberos" sets Auth-Type IF AND ONLY IF it's unset

"Auth-Type := Kerberos" sets Auth-Type unconditionally

The reason the former works and the latter fails is due to the
following:

authorize {
  preprocess
  eap
  files
}
authorize {
  eap
  Auth-Type Kerberos {
    krb5
  }
}

...with this in "users"

name	Auth-Type = Kerberos

The flow through this is:

1. Access-Request/EAP-Message passes through authorize
   a. preprocess
   b. eap - sees EAP-Message, sets Auth-Type to EAP
   c. files - does not match (Auth-Type is already set)
2. Access-Request/EAP-Message passes through authenticate
   a. Auth-Type is "EAP", eap module runs
3. TTLS tunnel setup starts
4. Access-Challenge sent back to client
5. steps 1-4 repeated several times
6. EAP-TTLS tunnel established - the INNER packet is then looped back to
the server as a PAP request
7. PAP request passes through authorize
   a. preprocess
   b. eap - does not match, no-op
   c. files - matches, sets Auth-Type to Kerberos
8. PAP request passes through authenticate
   a. krb5 called, authenticates PAP request
9. Access-Accept or Access-Reject sent back to TTLS session
10. EAP-TTLS tunnel sends Accept or Reject to client

If you use "Auth-Type := Kerberos", this becomes:

1. EAP
   a. preprocess
   b. eap - Auth-Type set to EAP
   c. files - Auth-Type overriden with Kerberos
2. EAP (authenticate)
   a. Auth-Type is kerberos - krb5 module called
   b. krb5 module fails, since the packet is an EAP packet (not PAP)

Hope that helps.

More information about the Freeradius-Users mailing list