Active Directory authenticated VPN

Pisch Tamás pischta at gmail.com
Thu May 6 11:57:53 CEST 2021


Michael Ströder via Freeradius-Users <freeradius-users at lists.freeradius.org>
ezt írta (időpont: 2021. máj. 6., Cs, 10:47):

> You're using mixed citation from two different authors. Please cite
> correctly.
>
Ok, sorry.

>
> On 5/6/21 10:28 AM, Pisch Tamás wrote:
> > Michael Ströder wrote:
> >> People who are really eager to use Kerberos could probably just set SASL
> >> mech GSSAPI and let libkrb5 do the work.
> >> Configuration can be done outside of FreeRADIUS with some env vars:
> >>
> >>
> https://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/kerberos.html#environment-variables
> >
> > I've already read it. I know that I should set environmental variables. I
> > tried KRB5_CONFIG, but krb5.conf didn't even appear in the freeradius
> debug
> > output.
>
> Because as Alan already said FreeRADIUS does not know anything about
> Kerberos.
>
> FYI: SASL and GSSAPI are two authentication abstraction layers.
>
> Mainly FreeRADIUS passes the SASL mech string as-is to libldap which
> invokes libsasl with the correct parameters. For SASL mech GSSAPI
> libsasl calls libgssapi_krb5 which calls libkrb5 which does the real work.
>
Great, thanks. I feel myself lost in a jungle. This is why I wrote to the
list, and the read the documentation answer doesn't help me. Surely I could
find these somewhere in the documentation someday, but concrete helps me a
lot.

>
> You can try to set KRB5_TRACE to let libkrb5 write debug logs.
>
Ok, I did it. When I use kinit, I can see messages in the log. When I start
freeradius, nothing new appears in the log with
tls {
start_tls = no
}
sasl {
mech = 'GSSAPI'
realm = 'ad.ourdomain.hu'
}
I tried with start_tls again, with
require_cert<-->= 'allow'
But it didn't help. I still get "Strong(er) authentication required"
message.

Thanks,

Tamás.


More information about the Freeradius-Users mailing list