EAP-TTLS & Kerberos

Phil Mayers p.mayers at imperial.ac.uk
Thu Apr 21 01:24:38 CEST 2011


On 04/20/2011 11:56 PM, tod wrote:

> Wed Apr 20 14:19:28 2011 : Debug:   PEAP: Setting User-Name to joe
> Sending tunneled request
> 	EAP-Message = 0x0207000a01746f747465
> 	FreeRADIUS-Proxied-To = 127.0.0.1
> 	User-Name = "joe"
> server inner-tunnel {
> Wed Apr 20 14:19:28 2011 : Info: +- entering group authorize {...}
> Wed Apr 20 14:19:28 2011 : Info: ++[expiration] returns noop
> Wed Apr 20 14:19:28 2011 : Info: ++[logintime] returns noop
> Wed Apr 20 14:19:28 2011 : Info: [pap] WARNING! No "known good" password
> found for the user.  Authentication may fail because of this.
> Wed Apr 20 14:19:28 2011 : Info: ++[pap] returns noop
> Wed Apr 20 14:19:28 2011 : Info: ++? if (User-Password)
> Wed Apr 20 14:19:28 2011 : Info: ? Evaluating (User-Password) ->  FALSE
> Wed Apr 20 14:19:28 2011 : Info: ++? if (User-Password) ->  FALSE
> Wed Apr 20 14:19:28 2011 : Info: ++? if (!User-Password)
> Wed Apr 20 14:19:28 2011 : Info: ? Evaluating !(User-Password) ->  TRUE
> Wed Apr 20 14:19:28 2011 : Info: ++? if (!User-Password) ->  TRUE
> Wed Apr 20 14:19:28 2011 : Info: ++- entering if (!User-Password) {...}
> Wed Apr 20 14:19:28 2011 : Info: +++[control] returns noop
> Wed Apr 20 14:19:28 2011 : Info: ++- if (!User-Password) returns noop
> Wed Apr 20 14:19:28 2011 : Info: Found Auth-Type = Kerberos
> Wed Apr 20 14:19:28 2011 : Info: +- entering group Kerberos {...}
> Wed Apr 20 14:19:28 2011 : Auth: rlm_krb5: Attribute "User-Password" is
> required for authentication.
> Wed Apr 20 14:19:28 2011 : Info: ++[krb5] returns invalid
> Wed Apr 20 14:19:28 2011 : Info: Failed to authenticate the user.
> } # server inner-tunnel

This is PEAP, not TTLS as was discussed in the original thread. PEAP 
uses MS-CHAP as the "inner" auth. rlm_krb5 cannot be used, because the 
client does not supply plaintext passwords with PEAP. See:

http://deployingradius.com/documents/protocols/compatibility.html

Also, you've broken the config by removing modules from "inner-tunnel". 
Specifically, you've removed the "eap" module, meaning that the inner 
EAP will never be handled.

Finally, this thread is months old. If you aren't the original poster, 
and don't have the same problem (which you don't) please start a new thread.



More information about the Freeradius-Users mailing list