freeradius Kerberos config in users file ?
Riccardo Veraldi
Riccardo.Veraldi at cnaf.infn.it
Wed Jun 23 13:02:43 CEST 2010
thank you, now it is much more clear to me
Rick
Alan DeKok wrote:
> Riccardo Veraldi wrote:
>
>> if I configure freeradius2 with krb5 authentication and I use the
>> following users file,
>> the authentication works using radtest
>>
>> DEFAULT Auth-Type := Kerberos
>>
>
> See "man users" about the ":=" operator. This *forces* Kerberos
> authentication.
>
> See also my web page on password compatibility. Kerberos isn't on
> there, but it would look the same as the row showing CHAP.
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
>
>> but it fails using EAP (EAP-TTLS) telling USer-PAssword attribute is
>> missing...
>>
>
> Yes... Kerberos takes a password entered by the user, and does
> kerberos magic with it. There is *no* password in EAP. So Kerberos
> doesn't work.
>
>
>> if I instead use the following users file:
>>
>> DEFAULT Auth-Type = Kerberos
>>
>> both radtest and EAP authentication works, and thtat's good, but why ?
>>
>
> As always, read the debugging output. It *tells* you why.
>
> In short, the "=" operator says "try Kerberos, but ONLY if nothing
> else is supposed to authenticate the user".
>
> This means that the EAP module handles EAP, as it's supposed to. The
> "inner-tunnel" virtual server then gets a password *inside* of the TTLS
> tunnel. That password is used for kerberos authentication.
>
> *Please* go read the debug output and compare it to the above
> description. While it's complicated, it is the best way to understand
> what's going on.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list