There isn't really much to do for Kerberos re:
radiusd.conf
...
modules {
krb5 {
}
...
authenticate {
krb5
}
...
in your users file have
...
DEFAULT Auth-Type := Kerberos
you also need a /etc/krb5.keytab and /etc/krb5.conf (you probably
already have them)
I don't think Kerberos will work with EAP, PEAP, or LEAP, but one can
always hope.
We use one-time passwords with Kerberos so sending it clear-text isn't a
problem.
for testing I use:
echo "code 2, length = 40" | cat ->RAAT-expect
echo " Framed-IP-Address = 255.255.255.254" | cat ->>RAAT-expect
echo " Service-Type = Framed-User" | cat ->>RAAT-expect
echo " Filter-Id = \"dialup\"" | cat ->>RAAT-expect
echo "User-Name = $TESTUSER" | cat ->RAAT-input
echo "User-Password = test3ok" | cat ->>RAAT-input
echo "NAS-IP-Address = 123.123.123.123" | cat ->>RAAT-input
kadmin.local -q "cpw -pw test3ok $TESTUSER" 2>&1>RAAT-got
radclient -f RAAT-input -i 123.123.123.123 radius.ds.lanl.gov:1645 auth
$1 2>&1>RAAT-got
kadmin.local -q "cpw -randkey $TESTUSER" 2>&1>/dev/null
diff RAAT-expect RAAT-got
On Wed, 2004-04-07 at 08:51, Steve OBrien wrote:
> >make sure /usr/local/lib is first on your system library
> >path (check with crle).
> Thanks!! I never knew about that command, jeez what a great one!
>
> >What version of Kerberos are you using ?
> 1.3.3 binary from MIT
>
>
> >To insure everything works properly and that you don't have some
> conflicts between
> >SEAM and MIT
> Do you have the Solaris Kerberos packages installed?
>
> >I've got two Solaris 9
> >installs (versions 1.2.8 and 1.3.1) and I've built freeradius on both
> -
> >no issues.
> Are you using Kerberos for freeradius authentication?
> If you are would you mind sharing you radiusd.conf Kerberos
> configuration, I have not been able to find much information about it.
>
>
> Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
