Active Directory authenticated VPN

Michael Ströder michael at
Thu May 6 10:46:55 CEST 2021

You're using mixed citation from two different authors. Please cite

On 5/6/21 10:28 AM, Pisch Tamás wrote:
> Michael Ströder wrote:
>> People who are really eager to use Kerberos could probably just set SASL
>> mech GSSAPI and let libkrb5 do the work.
>> Configuration can be done outside of FreeRADIUS with some env vars:
> I've already read it. I know that I should set environmental variables. I
> tried KRB5_CONFIG, but krb5.conf didn't even appear in the freeradius debug
> output.

Because as Alan already said FreeRADIUS does not know anything about

FYI: SASL and GSSAPI are two authentication abstraction layers.

Mainly FreeRADIUS passes the SASL mech string as-is to libldap which
invokes libsasl with the correct parameters. For SASL mech GSSAPI
libsasl calls libgssapi_krb5 which calls libkrb5 which does the real work.

You can try to set KRB5_TRACE to let libkrb5 write debug logs.

Ciao, Michael.

More information about the Freeradius-Users mailing list