Kerberos - Radius does not get password
Phil Mayers
p.mayers at imperial.ac.uk
Thu May 10 18:10:11 CEST 2012
On 10/05/12 16:39, Jörg Herzinger wrote:
> Hi,
>
> Radius has been bugging me now for over a week and I just can't get it
> working with Kerberos over WLan. I have been trying around a lot but in
There's no such thing as "kerberos over WLAN"
wireless authentication is either:
* MAC address (no radius involved)
* shared secret (no radius involved)
* WPA-Enterprise i.e. 802.1x
> root at donauauen42 ~ # radtest testing pass radius 1 averysecretsecret
> Sending Access-Request of id 166 to 192.168.43.118 port 1812
> User-Name = "testing"
> User-Password = "pass"
> NAS-IP-Address = 192.168.42.42
> NAS-Port = 1
This is a plain PAP request, and as such not representative of
WPA-Enterprise.
You should download the wpa_supplicant sources, and compile "eapol_test"
to test 802.1x authentication.
> Not working Kerberos debug log: http://pastie.org/3890159
These logs show 802.1x i.e. WPA-Enterprise authentication. You are using
EAP-TTLS, with EAP-MD5 inner. The log is clear:
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
The "kerberos" module can only authenticate PAP, because it's an
"oracle". See:
http://deployingradius.com/documents/protocols/oracles.html
For these purposes, you may consider Kerberos to be equivalent to PAM.
More information about the Freeradius-Users
mailing list