I recently got kerberos auth working from FR to a krb server by means of
radtest without any errors or core dumps. However, when actually trying to
authenticate to freeradius I am getting "User-Password" attribute required.
>From what I understand that returned password must not be encrypted when it
checks.
What I have been unable to figure out is how I pass the correct User-Pass
attribute from LEAP to rlm_krb5 and become authenticated. I have included
two seperate debugs that I have pulled. If anyone has had any experience
with this and could help clarify things and point me in the right direction
that would be great.
1. )Below is a authentication request directly to the radius server from a
Cisco aironet 1200.
rad_recv: Access-Request packet from host *.*.*.*:3990, id=46, length=155
User-Name = "username"
Cisco-AVPair = "ssid=test"
NAS-IP-Address = *.*.*.*
Called-Station-Id = "000b3555f1fa"
Calling-Station-Id = "000a8bb38c7e"
NAS-Identifier = "identifier"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x0121111c053989fd989fd9
Message-Authenticator = 0x001fd34435gd939438ggds94899w98g
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP packet type notification id 2 length 12
modcall[authorize]: module "eap" returns updated
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type Kerberos
auth: type "Kerberos"
modcall: entering group Auth-Type
rlm_krb5: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "krb5" returns invalid
modcall: group Auth-Type returns invalid
auth: Failed to validate the user.
Sending Access-Reject of id 46 to *.*.*.*:3990
2.) Below is a request that is proxied from our Cisco ACS that is having the
same problem.
rad_recv: Access-Request packet from host *.*.*.*:3024, id=6, length=143
User-Name = "username"
NAS-IP-Address = *.*.*.*
NAS-Port = 1852
NAS-Identifier = "CiscoSecure ACS v3.1(1.27)"
MS-CHAP-Challenge = 0x42e7shg83d2d073f
MS-CHAP-Response
=0x110100000000000000000000000000000000000000000000000045644169c1ec6a5127diw
v368473a7s3095576e39a8f3989
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP-Message not found
modcall[authorize]: module "eap" returns noop
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Kerberos
auth: type "Kerberos"
modcall: entering group Auth-Type
rlm_krb5: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "krb5" returns invalid
modcall: group Auth-Type returns invalid
auth: Failed to validate the user.
Sending Access-Reject of id 6 to *.*.*.*:3024
Thanks,
Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
