EAP-TTLS & Kerberos
Phil Mayers
p.mayers at imperial.ac.uk
Wed Feb 2 17:44:53 CET 2011
On 02/02/11 16:29, Thorsten Fischer wrote:
> All,
>
> I have a number of NASs - wireless APs running hostapd. I am setting up a
> freeradius 2.1.10 server to control the authentication of
> username at net.example.com to the wireless network; the decision is to be made by
> a Kerberos server. The setup is not working as intended, which I think stems
> either from my misunderstanding of the protocols involved or of how to set up
> freeradius correctly. Or both.
>
> Later, all authentication requests of username at example.com (without the net.)
> are to be forwarded to another Radius server. There will likely be more
> services integrated in the same vein later, so I would like to branch out into
> separate virtual servers based on realm.
>
> My understanding is that the communication between a user at net.example.com and
> freeradius needs to involve EAP-TTLS, because of the cleartext password which
> is required to be passed on to kerberos. The required keytab is set up and
> configured correctly. modules/krb5 is set up accordingly. bootstrap in
> raddb/certs has been run to create self-signed certs.
>
> I have an entry in the users file:
>
> DEFAULT Realm == "net.example.com", Auth-Type = Kerberos
Yeah, that won't work; it is forcing the server to try Kerberos, even
when the request is EAP.
You want something like this in /etc/raddb/sites-enabled/inner-tunnel:
authorize {
...
...
# let the PAP module detect that it's PAP
pap
}
authenticate {
Auth-Type PAP {
# ...but check PAP via kerberos
krb5
}
}
...or:
authorize {
...
# if we get here, set Auth-Type
if (User-Password) {
update control {
# (unless a higher-up module has set it)
Auth-Type = Kerberos
}
}
}
authenticate {
Auth-Type Kerberos {
krb5
}
}
More information about the Freeradius-Users
mailing list