Having made no changes to the config but using radtest from the command
line this is the debug output using kerberos but not EAP:
rad_recv: Access-Request packet from host 127.0.0.1:49649, id=40, length=65
User-Name = "[EMAIL PROTECTED]"
User-Password = "XXXXXXXXXXXX"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 33
modcall[authorize]: module "preprocess" returns ok for request 33
modcall[authorize]: module "chap" returns noop for request 33
modcall[authorize]: module "mschap" returns noop for request 33
rlm_realm: Looking up realm "msu.edu" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "MSU.EDU"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm MSU.EDU
rlm_realm: Adding Realm = "MSU.EDU"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 33
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 33
users: Matched entry DEFAULT at line 5
modcall[authorize]: module "files" returns ok for request 33
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 33
modcall: leaving group authorize (returns ok) for request 33
rad_check_password: Found Auth-Type Kerberos
auth: type "Kerberos"
Processing the authenticate section of radiusd.conf
modcall: entering group kerberos for request 33
rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or directory
modcall[authenticate]: module "krb5" returns ok for request 33
modcall: leaving group kerberos (returns ok) for request 33
Sending Access-Accept of id 40 to 127.0.0.1 port 49649
Finished request 33
Going to the next request
====================================================
This is from a message I posted earlier with kerberos and EAP. I hope
that's enough of it for you since my client started acting up and now I
have to beat on it a bit.:
rlm_realm: Looking up realm "msu.edu" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "MSU.EDU"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm MSU.EDU
rlm_realm: Adding Realm = "MSU.EDU"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 1 length 18
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 10
modcall[authorize]: module "files" returns ok for request 4
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type Kerberos
auth: type "Kerberos"
Processing the authenticate section of radiusd.conf
modcall: entering group kerberos for request 4
rlm_krb5: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "krb5" returns invalid for request 4
modcall: leaving group kerberos (returns invalid) for request 4
auth: Failed to validate the user.
=========================================
[EMAIL PROTECTED] wrote:
Can you post the debug (radiusd -X) for the same user with and without
EAP (using Kerberos - no users file entry).
Ivan Kalik
kalik Informatika ISP
Dana 11/10/2007, "Lisa Besko" <[EMAIL PROTECTED]> piše:
It works w/o EAP. I can do a radtest with a valid userid and password
on the kerberos server and get authorized (and not get authorized with
bad information).
I can get EAP-TTLS to work if I put a user and a password in the radius
users file but that's not what we want. We need the kerberos piece to
work. I'd be happy to send some config files along if that would help.
I feel like I'm missing something small that's so obvious no one has
thought to document it.
We can get various parts working at any given moment with kerberos but
we can't get it all working.
Thanks,
LB
[EMAIL PROTECTED] wrote:
It should be. Use EAP-TTLS/PAP and configure kerberos module in
radiusd.conf:
http://wiki.freeradius.org/index.php/Rlm_krb5
Make sure that it works without EAP first.
Ivan Kalik
Kalik Informatika ISP
Dana 10/10/2007, "Lisa Besko" <[EMAIL PROTECTED]> piše:
Is there a way to do 802.1x with Kerberos authentication using Freeradius?
If their is can anyone point me in the right direction?
We have been trying eap-ttls most recently with very little luck but
everything I have read says this should be possible. What are we missing?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Lisa Besko
Systems Administrator 517-432-7317
Network Management [EMAIL PROTECTED]
Academic Computing & Network Services
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
