This was discussed off-list too, but I thought I'd do a summary for the
benefit of the list members too.
We had our FreeIPA configuration implode a while back, so the
decision was made to switch our Linux servers to using realm and
sssd for authentication. No real issues until they switched the
server that Radiator was running on, which broke wireless
authentication:
Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Access
rejected for adoe2: EAP MSCHAP-V2 Authentication failure
As far as I know, sssd does not support EAP-MSCHAP-V2, or any other
MSCHAP variation.
The real question -- can I redo my PEAP configuration to work with
Kerberos? Looking at the samples in goodies, I see krb5.conf, but it
contains:
# Works with RADIUS-PAP, TTLS-PAP.
I'd say the only way to do it with Linux is to use AuthBy NTLM running
on a Linux host that has Samba configured as an AD computer.
In other words, neither sssd nor Kerberos support NThash based MSCHAP or
its variants.
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
