PEAP/MS-CHAPv2 for some, Kerberos (or PAM) for others...

Mike Loosbrock m-loosbrock at
Thu Feb 12 19:33:45 CET 2009

On Feb 9, 2009, at 4:05 PM, sth wrote:
> I'd like to integrate the function of an older RADIUS server (FR  
> 1.0.1)
> into the new one (FR 2.1.3), which handles 802.1X. The old FR box
> handles authentication for a VPN concentrator. It has some static  
> users
> defined, then defaults to PAM (which, in this context, means krb5).  
> Krb5
> works fine on the FR 2.1.3 config if I append:
> 	DEFAULT       Auth-Type := Kerberos
> to the users file. Doing so breaks all tunneled EAP methods (which
> reading leads me to believe is predictable). Using PAM gives similar
> results, and I figured it better to use FR's native krb5 support  
> anyway.
> I started down the path indicated in a seemingly-similar thread[3]  
> from
> February of 2008, but my understanding of FR is still not good enough
> that I can parlay those (mostly FR1.x) instructions into a valid FR2.x
> config, in spite of Phil Mayers' general comments re: using 2.x's
> virtual server functionality.
> Are EAP and DEFAULTs mutually-exclusive? If not, what's the most
> effective way to approach this? Your thoughts on the matter are
> appreciated. I apologize in advance if there's already a wiki page or
> thread that deals with this, and accept links to such posts with great
> gusto. :-)

One way would be to not manually set Auth-Type in the users file and  
instead use unlang:

authorize {
   update control {
     Auth-Type = Kerberos

This would set Auth-Type to Kerberos if and only if no other modules  
in the authorize section (such as files or eap) set Auth-Type.

See 'man unlang' for more details.

Mike Loosbrock
Bethel University Network Services

More information about the Freeradius-Users mailing list