Active Directory authenticated VPN

Pisch Tamás pischta at
Thu May 6 11:57:53 CEST 2021

Michael Ströder via Freeradius-Users <freeradius-users at>
ezt írta (időpont: 2021. máj. 6., Cs, 10:47):

> You're using mixed citation from two different authors. Please cite
> correctly.
Ok, sorry.

> On 5/6/21 10:28 AM, Pisch Tamás wrote:
> > Michael Ströder wrote:
> >> People who are really eager to use Kerberos could probably just set SASL
> >> mech GSSAPI and let libkrb5 do the work.
> >> Configuration can be done outside of FreeRADIUS with some env vars:
> >>
> >>
> >
> > I've already read it. I know that I should set environmental variables. I
> > tried KRB5_CONFIG, but krb5.conf didn't even appear in the freeradius
> debug
> > output.
> Because as Alan already said FreeRADIUS does not know anything about
> Kerberos.
> FYI: SASL and GSSAPI are two authentication abstraction layers.
> Mainly FreeRADIUS passes the SASL mech string as-is to libldap which
> invokes libsasl with the correct parameters. For SASL mech GSSAPI
> libsasl calls libgssapi_krb5 which calls libkrb5 which does the real work.
Great, thanks. I feel myself lost in a jungle. This is why I wrote to the
list, and the read the documentation answer doesn't help me. Surely I could
find these somewhere in the documentation someday, but concrete helps me a

> You can try to set KRB5_TRACE to let libkrb5 write debug logs.
Ok, I did it. When I use kinit, I can see messages in the log. When I start
freeradius, nothing new appears in the log with
tls {
start_tls = no
sasl {
mech = 'GSSAPI'
realm = ''
I tried with start_tls again, with
require_cert<-->= 'allow'
But it didn't help. I still get "Strong(er) authentication required"



More information about the Freeradius-Users mailing list