Using freeradius integrated with Active Directory toautenticatecisco passwords

Jeffrey Hutzelman jhutz at
Sat Feb 9 00:04:22 CET 2008

--On Friday, February 08, 2008 08:19:32 PM +0000 A.L.M.Buxey at 

> you MAY need to set "Auth-Type = krb5" for the required user or NAS
> setting depending on your config!

You will almost certainly have to do something -- there is no way for the 
rlm_krb5 module to know that you want to use it for veryifying passwords; 
that's not something that can be inferred from the request.

If all of your clients will be using plain passwords which you want to 
verify against Kerberos, and you won't be supporting EAP clients, then you 
can probably get away with something simple like adding the following to 
the users file:

DEFAULT Auth-Type := krb5
	Fall-Through = No

Note that this violates the general advice of never setting Auth-Type, 
explicitly; this is necessary because rlm_krb5 does not provide any 
authorize handling and will not set Auth-Type automatically like many other 
modules do.

If you are trying to support EAP or do something else complicated, then 
setting Auth-Type explicitly like this will probably break it, unless you 
are very careful to do so only under circumstances where it is the right 
thing to do.  I'm afraid I can't provide help with that; it's rather 
complex and really the right thing to do is update rlm_krb5 so it works 
automatically like everything else.  Perhaps someday I'll do that; I doubt 
the original author of that module cares any longer.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at>
   Carnegie Mellon University - Pittsburgh, PA

More information about the Freeradius-Users mailing list