PEAP/MS-CHAPv2 for some, Kerberos (or PAM) for others...
Mike Loosbrock
m-loosbrock at bethel.edu
Thu Feb 12 19:33:45 CET 2009
On Feb 9, 2009, at 4:05 PM, sth wrote:
>
> I'd like to integrate the function of an older RADIUS server (FR
> 1.0.1)
> into the new one (FR 2.1.3), which handles 802.1X. The old FR box
> handles authentication for a VPN concentrator. It has some static
> users
> defined, then defaults to PAM (which, in this context, means krb5).
> Krb5
> works fine on the FR 2.1.3 config if I append:
>
> DEFAULT Auth-Type := Kerberos
>
> to the users file. Doing so breaks all tunneled EAP methods (which
> reading leads me to believe is predictable). Using PAM gives similar
> results, and I figured it better to use FR's native krb5 support
> anyway.
>
> I started down the path indicated in a seemingly-similar thread[3]
> from
> February of 2008, but my understanding of FR is still not good enough
> that I can parlay those (mostly FR1.x) instructions into a valid FR2.x
> config, in spite of Phil Mayers' general comments re: using 2.x's
> virtual server functionality.
>
> Are EAP and DEFAULTs mutually-exclusive? If not, what's the most
> effective way to approach this? Your thoughts on the matter are
> appreciated. I apologize in advance if there's already a wiki page or
> thread that deals with this, and accept links to such posts with great
> gusto. :-)
One way would be to not manually set Auth-Type in the users file and
instead use unlang:
authorize {
...
update control {
Auth-Type = Kerberos
}
}
This would set Auth-Type to Kerberos if and only if no other modules
in the authorize section (such as files or eap) set Auth-Type.
See 'man unlang' for more details.
Mike Loosbrock
Bethel University Network Services
651-638-6723
More information about the Freeradius-Users
mailing list