Thanks a lot for the reply! On Tue, Jan 24, 2006 at 12:28:00PM -0500, Alan DeKok wrote: > Jakob Oestergaard <[EMAIL PROTECTED]> wrote again: > > If I put this in my users file, EAP-TTLS works and FreeRADIUS correctly > > sees the PAP password from the laptop: > > > > DEFAULT Auth-Type = EAP > > You don't need to do that. The server will figure it out on it's own.
It seems to me that it doesn't - read on. > > > If I put this in my users file, Kerberos works but FreeRADIUS does not > > get the password from the notebook > > That's backwards. The notebook sends the password (maybe) to > FreeRADIUS. Ah yes - my bad > > > So, is there a way to tell FreeRADIUS to both use EAP *and* attempt > > Kerberos authentication when it actually has a password? > > Yes. Your configuration is correct. > > Try running the server in debugging mode (as suggested in the > README, FAQ, and INSTALL) to see why it's being rejected. I did - unfortunately I didn't save the log output and I don't have a laptop handy right now to retry - will fix... The kerberos module complained that no "User-Password" was sent, and therefore it couldn't try authenticating against the kerb. server. If I ran with Auth-Type = EAP, then the TTLS encapsulated PAP messages would be decoded correctly and I could see the supplied password in clear text. If I ran with Auth-Type = Kerberos, only the User-Name would be decoded, no User-Password. I can send proper logs tomorrow - in case the above doesn't ring any bells :) Thanks, -- / jakob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
