FreeRadius 3.0.17 and Kerberos 5
Alan DeKok
aland at deployingradius.com
Tue Jun 23 14:55:40 CEST 2020
On Jun 23, 2020, at 2:42 AM, Marcelito de Guzman <marzzz21 at gmail.com> wrote:
>
> Good Day,
>
> I'm trying to connect my FreeRadius server to my Kerberos Server.
>
> As per the documentation, I've followed what was directed here:
>
> Also created a soft link for the krb module from raddb/mods-available
> to raddb/mods-enabled. However, the FreeRadius Server doesn't seem to
> be contacting the Kerberos server. Is there anything else I need to
> setup?
Yes. You need to tell the "default" virtual server to use the kerberos module for authentication.
Except...
> Here's the `radiusd -X` logs:
Good...
>
> (0) Received Access-Request Id 77 from 10.129.1.1:55055 to
> 10.129.2.19:1812 length 145
> (0) Service-Type = Login-User
> (0) User-Name = "bob"
> (0) MS-CHAP-Challenge = 0x2fac175f8a7b17749c39b9d64e19f21d
> (0) MS-CHAP2-Response =
> 0x00002d2bf61426d63eb3c2e752936784be960000000000000000a55bc6e5c0583ea6f2b5f5672c38e0e6c1c8103487b6ac51
You can't use MS-CHAP with Kerberos. It's impossible.
Kerberos is only compatible with PAP (i.e User-Password) authentication.
Can you make the client send User-Password? If not, then you can't use Kerberos.
If you can use User-Password, then:
* list "krb5" in the "authenticate" section
* add this to the bottom of "authorize", but before "pap"
if (User-Password && !control:Auth-Type && !control:Proxy-To-Realm) {
update control {
Auth-Type := krb5
}
}
PAP authentication will then work.
Alan DeKok.
More information about the Freeradius-Users
mailing list