Hi, > It works w/o EAP. I can do a radtest with a valid userid and password > on the kerberos server and get authorized (and not get authorized with > bad information).
right > I can get EAP-TTLS to work if I put a user and a password in the radius > users file but that's not what we want. We need the kerberos piece to > work. I'd be happy to send some config files along if that would help. > I feel like I'm missing something small that's so obvious no one has > thought to document it. no. you dont need to use the users file for the userid/password. you simply need to ensure that the krb5 module is in the Authorize section and that you have PAP enabled...and that you are using EAP-TTLS with PAP inner method. so....your FR config needs at least the following configs... radiusd.conf in the authorize section krb5 { } in the authenticate section (radiusd.conf for 1.1.x, sites-enabled/default for 2.x) Auth-Type krb5 { krb5 } you MAY configure krb5 in radiusd.... we havent found this actually necessary(!) # krb5 { # keytab = /path/to/keytab # service_principal = name_of_principle # } finally. if you are facing issues and you dont help with supplying a log file then please ensure that your RADIUS request isnt being b0rked by something in the users file eg DEFAULT Auth-Type = System you can at least change this to.... DEFAULT Auth-Type = krb5 just for checking(!!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html