Kerberos - Radius does not get password
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jan 8 12:24:26 CET 2013
On 08/01/13 10:31, Khapare Joshi wrote:
> I am running on:
> CENTOS6
> samba-winbind-3.5.10-125.el6.x86_64
> samba-3.5.10-125.el6.x86_64
> samba-common-3.5.10-125.el6.x86_64
>
>
Ok. Unfortunately this isn't nearly enough data to speculate about what
your problems might be. To be honest, I don't even know what data
*would* tell us that - but it would certainly include your AD server OS
version and domain functional level.
But this is really off-topic - if you have Samba problems, the Samba
list is the place to discuss them.
>
> and DEFAULT AUTH-Type = kerberos in users file.
No, this is wrong. Don't do this. It may stop you doing mschap.
If you *must* set Auth-Type, you need to ensure it's done correctly -
only set if unset, and if it's PAP - which can be done in unlang like so:
authorize {
...
eap
mschap
# if Auth-Type isn't set yet
if (!control:Auth-Type) {
# AND if it's a PAP request (contains User-Password)
if (User-Password) {
# use Kerberos
update control {
Auth-Type := kerberos
}
}
}
...
}
> To make this work, I still have to configure samba, join radius server
> to AD and so on for the AD authentication right ?
Yes.
> but, kerberos only works with PAP, is there a security risk - what is
> your view on this?
View on what?
Vague questions like "is there a security risk" don't really mean anything.
Let me answer a different question:
In my opinion, given current state-of-the-art in cryptography, TTLS/PAP
is not appreciably more or less secure than PEAP/MSCHAP. They both have
very similar security properties, and are close to identical at the
protocol level.
The use of TTLS/PAP provides more options in backend password storage /
authentication server, but that's separate from the security of the
protocol.
More information about the Freeradius-Users
mailing list