freeradius Kerberos config in users file ?
Alan DeKok
aland at deployingradius.com
Wed Jun 23 11:36:31 CEST 2010
Riccardo Veraldi wrote:
> if I configure freeradius2 with krb5 authentication and I use the
> following users file,
> the authentication works using radtest
>
> DEFAULT Auth-Type := Kerberos
See "man users" about the ":=" operator. This *forces* Kerberos
authentication.
See also my web page on password compatibility. Kerberos isn't on
there, but it would look the same as the row showing CHAP.
http://deployingradius.com/documents/protocols/compatibility.html
> but it fails using EAP (EAP-TTLS) telling USer-PAssword attribute is
> missing...
Yes... Kerberos takes a password entered by the user, and does
kerberos magic with it. There is *no* password in EAP. So Kerberos
doesn't work.
> if I instead use the following users file:
>
> DEFAULT Auth-Type = Kerberos
>
> both radtest and EAP authentication works, and thtat's good, but why ?
As always, read the debugging output. It *tells* you why.
In short, the "=" operator says "try Kerberos, but ONLY if nothing
else is supposed to authenticate the user".
This means that the EAP module handles EAP, as it's supposed to. The
"inner-tunnel" virtual server then gets a password *inside* of the TTLS
tunnel. That password is used for kerberos authentication.
*Please* go read the debug output and compare it to the above
description. While it's complicated, it is the best way to understand
what's going on.
Alan DeKok.
More information about the Freeradius-Users
mailing list