Hello all,

I have a configuration where I allow users to get onto the wireless
network by authenticating with EAP-TLS or with EAP-GTC inside of
EAP-TTLS.  If they have a cert, then they authenticate with EAP-TLS, and
if they have a password, then they authenticate with EAP-TTLS/EAP-GTC
which in turn authenticates against Kerberos.  In addition, there are
some admins who need to log into the access point's command shell.  I
would like these to be authenticated against the same Kerberos server,
but everyone else should get rejected.

As it turns out, I have a configuration that accomplishes all of this
*perfectly*.  In radiusd.conf, I have:

modules {
  ...
  krb5 {
  }
  ...
}
...
authenticate {
  ...
  Auth-Type Kerberos {
    krb5
  }
  ...
}

Then, in the users file, I have:

"admin1"  NAS-Port-Type == "Virtual", Auth-Type = Kerberos
"admin2"  NAS-Port-Type == "Virtual", Auth-Type = Kerberos
 ...
DEFAULT   NAS-Port-Type == "Virtual", Auth-Type := Reject

# This authenticates wireless users
DEFAULT   NAS-Port-Type == "Wireless-802.11", Auth-Type = Kerberos

I should stress, this accomplishes *exactly* what I want.  That said, it
also involves explicit setting of Auth-Type.  I have seen in more than
one place that this is a Bad Thing(TM).  My first question is how do I
accomplish what the above configuration does without this explicit
Auth-Type setting?  (Or is the above configuration marginally acceptable
because it only sets Auth-Type when it isn't already set?)  Should I
only be defining one authentication module that involves User-PAssword?

More generally, suppose that you have two different authentication
modules, say unix and krb5, that use User-Password.  How does FreeRADIUS
tell which users are supposed to use unix and which are supposed to use
krb5?  (Assuming that you want some to use one, and some to use the
other.)  That is, how does RADIUS know what the "right thing" is in that
case with being told explicitly?

Thanks in advance.

P.S.  Before anyone says anything, I have read the documentation.  More
than once.  It could very easily be that I have missed something totally
obvious though.

-- 
John Guthrie
[EMAIL PROTECTED]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to