"Riccardo.Veraldi" <[EMAIL PROTECTED]> wrote: > But I am unable to succesfully authenticate > and I get this error: > > rlm_krb5: Attribute "User-Password" is required for authentication. ... > I would like the authentication via 802.1x to point to my kerberos server > instead of a local radius users file authentication (this indeed works > with EAP-TTLS).
Because EAP-TTLS supplies a clear-text password in the TLS tunnel. The message you're getting is from a PEAP session (and no, you don't say that). PEAP uses MS-CHAP inside of the TLS tunnel, which means it's impossible to do kerberos authentication. MS-CHAP doesn't supply a clear-text password, so you can't use that, and kerberos doesn't understand MS-CHAP. > should I instead use PAM module and configure PAM > to authenticate using kerberos ? No. PAM doesn't understand MS-CHAP, either. What you want to do is impossible, because it's designed to be impossible by the people who created MS-CHAP and Kerberos. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
