krb5 authentication not working

Alan DeKok aland at deployingradius.com
Wed Aug 23 02:24:48 CEST 2017 

On Aug 22, 2017, at 8:16 PM, Greg Wilson <Greg.Wilson at asu.edu> wrote:
> Getting
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
> 
> in debug output.  The server does not appear to be trying krb5 authentication.

  You have to tell it to do kerberos authentication.

> In sites-enabled/default ---------
> authenticate {
>        #
>        # User Kerberos to authenticate
>        #
>        Auth-Type Kerberos {
>                  krb5
>        }

  That's good...

> In mods-enabled/krb5 --------------
> krb5 {
>        keytab = /etc/raddb-checkpoint/radius_auth.keytab
>        service_principal = "radius_auth"

  That's good...

> In mods-config/files/authorize --------------
> DEFAULT Auth-Type = Kerberos
>        User-Service-Type = Login-User,
>        Login-Service = Rlogin

  That should mostly work.  Though *always* assigning User-Service-Type && Login-Service is a little odd.

> Debug output: ------------------

  It helps to read this.  I know there's a lot there, but the information you need *does* exist, and is in the debug output.

> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/raddb-checkpoint/radiusd.conf
> } # server

  You have an empty "server" section?  Why?

> server inner-tunnel { # from file /etc/raddb-checkpoint/sites-enabled/inner-tunnel

  Which is only for EAP...

> server default { # from file /etc/raddb-checkpoint/sites-enabled/default
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server default

  That's good...

> radiusd: #### Opening IP addresses and Ports ####
> Listening on auth address 10.120.3.175 port 1645
> Listening on acct address 10.120.3.175 port 1646
> Listening on proxy address * port 59986
> Ready to process requests
> (0) Received Access-Request Id 6 from 129.219.12.155:44940 to 10.120.3.175:1645 length 50
> (0)   User-Name = "User"
> (0)   User-Password = "Pwd"
> (0)   NAS-IP-Address = 129.219.12.155
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject

  And if you read this, you'll note that it doesn't run any modules.  Specifically, the "files" module isn't being used.

  The problem is that you edited the default configuration, and broke the server.  Don't do that.

  If you start off with the default configuration and do your edits, it *will* work.  But for now, it looks like you added an empty "server" section (among other things), that broke FreeRADIUS.

  Please read "man radiusd" for instructions on a step-by-step process to create working configurations.

  Alan DeKok.

More information about the Freeradius-Users mailing list