-- Walt Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438
> -----Original Message----- > > Message: 5 > Date: Fri, 12 Oct 2007 10:45:11 +0200 > From: Alan DeKok <[EMAIL PROTECTED]> > Subject: Re: 802.1x & kerberos > To: FreeRadius users mailing list > <[email protected]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Lisa Besko wrote: > > Thanks for the help so far. Part of the problem is we have probably > > tried so many things we probably messed something up along the way > don't > > remember what is is. > > Stop right there. If you don't keep track of what you're doing, you > will NEVER get it to work. > > Throw away everything you've done, and start with all of the default > configuration files. Then, proceed with the following steps: > > 1) Configure EAP-TTLS > i.e. the "tls" and "ttls" sub-sections of eap.conf > > 2) Put the following at the TOP of the "users" file: > > bob Cleartext-Password := "bob" > > 3) Start the server in debug mode > > 4) validate that you can log in with "bob" using radtest (i.e. PAP) > > 5) validate that EAP-TTLS works with username/password "bob" and "bob" > > 6) Configure kerberos in radiusd.conf. > > 7) Delete the "bob" entry in the "users" file. > > 8) Replace it with: > > DEFAULT Auth-Type = Kerberos > > And it WILL work. > ... > > authenticate { > > Auth-Type PAP { > > pap > > } > > > > Auth-Type kerberos { > > krb5 > > } > > } > > If you don't list "eap" there, it won't work. Again, throw away your > existing configuration files, and start from the default ones. > > users: > > DEFAULT Freeradius-Proxied-To == 127.0.0.1 > > Fall-Through = Yes > > That entry does nothing. I agree it does nothing for authentication, but this will be part of the solution to get accounting records based on the inner identity and not the outer with TTLS http://www.mail-archive.com/[email protected]/msg02045.html Has something changes in recent code that makes this unnecessary? > > > DEFAULT Auth-Type := Kerberos > > Fall-Through = 1 > > An earlier message in this thread said "Auth-Type = Kerberos". What > you have above is different. PLEASE follow instructions carefully. > > Alan DeKok. > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
