Auth-Type krb5 not recognized by v2.1.12

Jaap Winius jwinius at umrk.nl
Wed Mar 27 04:09:09 CET 2013


Quoting Phil Mayers <p.mayers at imperial.ac.uk>:

> ... you should be using 2.2.0 or 2.2.1 when it's release, as the
> 2.1.10/11/12 releasea have a known security issue.

I'll be sure to install 2.2.x as soon as a Debian package becomes  
available for it, but for now I'm going to stick with 2.1.x.

> I see from the (limited) debug output you've given that you're  
> forcing Auth-Type in a "users" file. This is usually a mistake, and  
> can cause confusing errors.

If I leave it out, 2.1.10 doesn't work for me.

What follows is a description of how I modified my Freeradius server's  
default configuration in order to get it working for me on Debian  
squeeze with Kerberos support. After installing the freeradius and  
freeradius-krb5 packages along with some dependencies, this is what I  
did:

1.) Added to the end of /etc/freeradius/clients.conf:

   client 192.168.2.2 {
       secret    = <long_secret_string_1>
       shortname = <my_ssid>
   }

2.) Modified attribute in /etc/freeradius/eap.conf, section 'eap':

   default_eap_type = ttls

Modified attribute in subsection 'tls':

   private_key_password = <long_secret_string_2>

3.) Added this line to the end of /etc/freeradius/users:

   DEFAULT Auth-Type = krb5

4.) Changed these two lines in /etc/freeradius/modules/krb5:

   keytab = /etc/freeradius/freeradius.keytab
   service_principal = radius/<host.name>

5.) In /etc/freeradius/sites-enabled/inner-tunnel, added an extra line  
with 'krb5' below the line 'pam' (which is commented out) in section  
'authenticate'.

6.) Installed and configured a Kerberos client on the Freeradius host.  
Of course, this included using kadmin to create a host principal,  
host/<host.name>, as well as a matching keytab (/etc/krb5.keytab) on  
the Freeradius host.

7.) Used the kadmin console again on the Freeradius host to create a  
radius service principal: radius/<host.name>

8.) Created a keytab for the radius service principal:  
/etc/freeradius/freeradius.keytab

9.) Generated a set of self-signed certificates that I copied to the  
/etc/freeradius/certs directory.

When all of this works, 'freeradius -X' shows the following output:

=== Begin 2.1.10 success ================================

[eap] EAP packet type response id 6 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
         User-Name = "jwinius"
         User-Password = "<my_password>"
         FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
         User-Name = "jwinius"
         User-Password = "<my_password>"
         FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file  
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jwinius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 207
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = krb5
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
rlm_krb5: verify_krb_v5_tgt: host key not found : Permission denied
++[krb5] returns ok
   WARNING: Empty post-auth section.  Using default return values.
# Executing section post-auth from file  
/etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[ttls] Got tunneled reply code 2
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 0 to 192.168.2.2 port 1025
         MS-MPPE-Recv-Key =  
0xab083ff864d0156503438d3bac157120ac64723522901d27a41564a100bb42a8
         MS-MPPE-Send-Key =  
0xb31e8a4a4cfe891d652a209aa8e14e5eaa460d3becda0c6cb7d23f5e181c159c
         EAP-Message = 0x03060004
         Message-Authenticator = 0x00000000000000000000000000000000
         User-Name = "jwinius"

=== End 2.1.10 success ==================================

On the other hand, it doesn't work if I remove the 'DEFAULT Auth-Type  
= krb5' in the users file. Without that line I get this result:

=== Begin 2.1.10 fail ===================================

[eap] EAP packet type response id 6 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
	User-Name = "jwinius"
	User-Password = "<my_password>"
	FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
	User-Name = "jwinius"
	User-Password = "<my_password>"
	FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file  
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jwinius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:  
Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> jwinius
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 0 to 192.168.2.2 port 1025
	EAP-Message = 0x04060004
	Message-Authenticator = 0x00000000000000000000000000000000

=== End 2.1.10 fail =====================================

After upgrading to 2.1.12, what kills my setup is that Freeradius will  
no longer start up if I leave 'DEFAULT Auth-Type = krb5' enabled in  
the users file. But if I disable it, I get exactly the same failure  
output as I do from 2.1.10 when I disable that line in the users file.

Cheers,

Jaap


More information about the Freeradius-Users mailing list