Riccardo Veraldi wrote: > if I configure freeradius2 with krb5 authentication and I use the > following users file, > the authentication works using radtest > > DEFAULT Auth-Type := Kerberos
See "man users" about the ":=" operator. This *forces* Kerberos authentication. See also my web page on password compatibility. Kerberos isn't on there, but it would look the same as the row showing CHAP. http://deployingradius.com/documents/protocols/compatibility.html > but it fails using EAP (EAP-TTLS) telling USer-PAssword attribute is > missing... Yes... Kerberos takes a password entered by the user, and does kerberos magic with it. There is *no* password in EAP. So Kerberos doesn't work. > if I instead use the following users file: > > DEFAULT Auth-Type = Kerberos > > both radtest and EAP authentication works, and thtat's good, but why ? As always, read the debugging output. It *tells* you why. In short, the "=" operator says "try Kerberos, but ONLY if nothing else is supposed to authenticate the user". This means that the EAP module handles EAP, as it's supposed to. The "inner-tunnel" virtual server then gets a password *inside* of the TTLS tunnel. That password is used for kerberos authentication. *Please* go read the debug output and compare it to the above description. While it's complicated, it is the best way to understand what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
