Freeradius authentification against Kerberos

Wang, Yu ywang10 at
Wed Jul 23 21:40:25 CEST 2014

You can use third party plugins but I strongly discourage you to use EAP-TTLS with Kerberos/PAP because it has security holes. We use FreeRadius and NTLM. In searching more efficient method than NTLM, I looked into EAP-TTLS with Kerberos but a brother university network engineer showed me how a hacker could steal user passwords easily with EAP-TTLS/Kerberos. I completely abandoned the idea of using it.

For your environment, PEAP MSCHAPv2 will work.

Yu Wang
Network Architect
Information Technology Services
The Florida State University
850-645-6810 at

From: at [ at] On Behalf Of Benjamin Stahl (
Sent: Wednesday, July 23, 2014 11:54 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius authentification against Kerberos

Hey thanks for your fast answer.

As a Windows 7 client, i can only authentificate PEAP - MSCHAPv2, right?
I looked at the network settings, i did not find EAP-TTLS. Is it right?

Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS.

Am 23.07.2014 um 17:10 schrieb Wang, Yu <ywang10 at<mailto:ywang10 at>>:

From: at< at> [ at] On Behalf Of Benjamin Stahl
Sent: Wednesday, July 23, 2014 9:55 AM
To: Freeradius Mailing-List
Subject: Freeradius authentification against Kerberos


I'm a newbie with Freeserver. It is my first time with it. I try to make a configuration against Kerberos with your freeradius-server on centOS 6.5.
I use FreeRadius 2.1.12

Please use 2.2.5 if you can.

But now I got everytime the error: "no authenticate method (Auth-Type) found for the request". So every user got a reject.
I setup the server like explained at this tutorial from<>:

Under authenticate {}, make sure you have following lines:

        Auth-Type PAP {
        Auth-Type Kerberos {

My problem is also that a PEAP - MSCHAPv2 auth from a Windows 7 - PC does not work.

Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS.

Can anyone help me, please?

I attached the logs.

Thanks, and best Benjamin.

List info/subscribe/unsubscribe? See

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list