Kerberos - Radius does not get password

Phil Mayers p.mayers at
Thu May 10 18:10:11 CEST 2012

On 10/05/12 16:39, Jörg Herzinger wrote:
> Hi,
> Radius has been bugging me now for over a week and I just can't get it
> working with Kerberos over WLan. I have been trying around a lot but in

There's no such thing as "kerberos over WLAN"

wireless authentication is either:

  * MAC address (no radius involved)
  * shared secret (no radius involved)
  * WPA-Enterprise i.e. 802.1x

> root at donauauen42 ~ # radtest testing pass radius 1 averysecretsecret
> Sending Access-Request of id 166 to port 1812
> User-Name = "testing"
> User-Password = "pass"
> NAS-IP-Address =
> NAS-Port = 1

This is a plain PAP request, and as such not representative of 

You should download the wpa_supplicant sources, and compile "eapol_test" 
to test 802.1x authentication.

> Not working Kerberos debug log:

These logs show 802.1x i.e. WPA-Enterprise authentication. You are using 
EAP-TTLS, with EAP-MD5 inner. The log is clear:

[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select

The "kerberos" module can only authenticate PAP, because it's an 
"oracle". See:

For these purposes, you may consider Kerberos to be equivalent to PAM.

More information about the Freeradius-Users mailing list