EAP-TTLS & Kerberos

Phil Mayers p.mayers at imperial.ac.uk
Wed Feb 2 17:44:53 CET 2011


On 02/02/11 16:29, Thorsten Fischer wrote:
> All,
>
> I have a number of NASs - wireless APs running hostapd. I am setting up a
> freeradius 2.1.10 server to control the authentication of
> username at net.example.com to the wireless network; the decision is to be made by
> a Kerberos server. The setup is not working as intended, which I think stems
> either from my misunderstanding of the protocols involved or of how to set up
> freeradius correctly. Or both.
>
> Later, all authentication requests of username at example.com (without the net.)
> are to be forwarded to another Radius server. There will likely be more
> services integrated in the same vein later, so I would like to branch out into
> separate virtual servers based on realm.
>
> My understanding is that the communication between a user at net.example.com and
> freeradius needs to involve EAP-TTLS, because of the cleartext password which
> is required to be passed on to kerberos. The required keytab is set up and
> configured correctly. modules/krb5 is set up accordingly. bootstrap in
> raddb/certs has been run to create self-signed certs.
>
> I have an entry in the users file:
>
> DEFAULT    Realm == "net.example.com", Auth-Type = Kerberos

Yeah, that won't work; it is forcing the server to try Kerberos, even 
when the request is EAP.

You want something like this in /etc/raddb/sites-enabled/inner-tunnel:

authorize {
  ...
  ...
  # let the PAP module detect that it's PAP
  pap
}
authenticate {
  Auth-Type PAP {
   # ...but check PAP via kerberos
   krb5
  }
}


...or:

authorize {
   ...
   # if we get here, set Auth-Type
   if (User-Password) {
     update control {
       # (unless a higher-up module has set it)
       Auth-Type = Kerberos
     }
   }
}
authenticate {
   Auth-Type Kerberos {
     krb5
   }
}




More information about the Freeradius-Users mailing list