"McNutt, Justin M." <[EMAIL PROTECTED]> wrote: > The EAP client (Aironet, BPS2K, etc.) authenticates to FreeRADIUS, but > FreeRADIUS itself needs authoritative information somewhere, hence PAM.
PAM authenticates username/passwords. My understanding of EAP is that if you're doing EAP authentication over RADIUS, then there may not be a username/password in the RADIUS packet. Therefore you can't do PAM authentication with EAP. > I, for example, wish to authenticate users against a Kerberos server, so > my unix machines use PAM and pam_krb5.so. Ok.. 0.5 also has rlm_krb5. :) > So with FreeRADIUS, I should (hopefully) be able to use the Kerberos > server (via PAM) to *authenticate* users, but use the raddb/users > database to *authorize* users (EAP attributes). I don't know enough about EAP to know how it does authorization. But from reading RFC 2869 (RADIUS extensions, including EAP), it loooks to me like EAP is mainly for authentication, and that "onld-style" RADIUS username/password attributes don't appear in RADIUS packets with EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
