Kerberos (krb5) Module Overrides Other Authentication Types . . .
Alan DeKok
aland at deployingradius.com
Sat Apr 3 17:16:09 CEST 2010
John Dennis wrote:
> Why does rlm_krb5 have behavior seemingly at
> odds with the other types of modules in it's family (e.g. those which
> can authenticate given a cleartext password).
*some* authentication modules can be listed in "authorize":
* chap
* mschap
* eap
This is because the *type* of authentication shows up in the packet:
* CHAP-Password
* MSCHAP-Challenge / Response
* EAP-Message
There is no corresponding attribute for Kerberos. There is no
corresponding attribute for LDAP.
On top of that, Kerberos, LDAP, etc. usually work *only* for
User-Password. And there many, many such modules. "Automatically"
choosing one is hard. If you can edit *anything* to require a
particular authentication back-end, you might as well do it by setting
Auth-Type.
Alan DeKok.
More information about the Freeradius-Users
mailing list