On 01/18/2013 10:13 AM, John Dennis wrote:
On 01/18/2013 09:31 AM, Han Boetes wrote:
In the users file
DEFAULT Auth-Type = Kerberos
          Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15"

Be careful!

It's almost never a good idea to set the Auth-Type in the user config.
Why? Because normally the server figures out the best Auth-Type to use
for a given Auth-Request based on the contents of the Auth-Request
packet. The contents of the Auth-Request packet depends exclusively on
the configuration of the user's device, something you typically do not
have control over (think of random user trying to connect with unknown

The FR server figures out which Auth-Type to use based on it's
configuration and set of policy rules, all of which you can write.

The problem comes when a user sends an Auth-Request whose contents does
not math the Auth-Type you've forced on them, then things will
completely *fail*.

Using DEFAULT for the Auth-Type is even a more pernicious problem
because you're saying apply this to everyone that lands in the default

There are a few Auth-Type's the server can't figure out on it's own,
kerberos is one of them (because fundamentally it's no different than
pap in terms of what the client sends). There are a number of approaches
one can take to address this issue via policy configuration in the
server, but I'm sorry to say I don't have time to document and test all
those at the moment.

All I'm trying to say is what you've done above will work only in a very
constrained scenario, it is not a general solution. The FreeRADIUS list
is filled with folks attempts to force an Auth-Type in the users file
only to discover their woes.

Here are a couple of threads I found on the freeradius-users list which might be of help to you:

You should use a TLS tunnel with Kerberos auth because the user's password is sent in the request packet, this explains some of the issues with doing krb inside the inner tunnel of the server:


This is a how-to someone wrote up on using kerberos with FreeRADIUS, sorry I haven't read it to check for accuracy, but it might be helpful.


John Dennis <jden...@redhat.com>

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to