On Thu, Oct 11, 2007 at 11:28:36AM -0400, Lisa Besko wrote: > Thanks for the help so far. Part of the problem is we have probably tried > so many things we probably messed something up along the way don't remember > what is is. > > I think I have all the right stuff in the config files. I'll do a little > cut and paste here and maybe you will spot something I missed. > > radius.conf (and all the eap parts are uncommented as well): > > modules { > ...... > krb5 { > # keytab containing the key used by rlm_krb5 > keytab = /usr/local/raddb/nmserv.keytab > > # principal that is used by rlm_krb5 > #service_principal = host/[EMAIL PROTECTED] > } > ..... > > pap { > auto_header = yes > } > ........ > } > > authenticate { > Auth-Type PAP { > pap > } > > Auth-Type kerberos { > krb5 > } > } > I think this should be Kerberos and not kerberos.
Ken > > ----------------------- > eap.conf: > eap { > default_eap_type = ttls > md5 { > } > > tls { > private_key_password = whatever > private_key_file = ${raddbdir}/certs/cert-srv.pem > certificate_file = ${raddbdir}/certs/cert-srv.pem > CA_file = ${raddbdir}/certs/demoCA/cacert.pem > dh_file = ${raddbdir}/certs/dh > random_file = ${raddbdir}/certs/random > } > > ttls { > > default_eap_type = md5 > copy_request_to_tunnel = yes > use_tunneled_reply = yes > } > } > > > > users: > DEFAULT Freeradius-Proxied-To == 127.0.0.1 > Fall-Through = Yes > > DEFAULT Auth-Type := Kerberos > Fall-Through = 1 > > > Debug out put at the moment: > > rlm_realm: Looking up realm "msu.edu" for User-Name = "[EMAIL PROTECTED]" > rlm_realm: Found realm "MSU.EDU" > rlm_realm: Adding Stripped-User-Name = "testuser" > rlm_realm: Proxying request from user testuser to realm MSU.EDU > rlm_realm: Adding Realm = "MSU.EDU" > rlm_realm: Authentication realm is LOCAL. > modcall[authorize]: module "suffix" returns noop for request 4 > rlm_eap: EAP packet type response id 1 length 18 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 4 > users: Matched entry DEFAULT at line 10 > modcall[authorize]: module "files" returns ok for request 4 > rlm_pap: WARNING! No "known good" password found for the user. > Authentication may fail because of this. > modcall[authorize]: module "pap" returns noop for request 4 > modcall: leaving group authorize (returns updated) for request 4 > rad_check_password: Found Auth-Type Kerberos > auth: type "Kerberos" > Processing the authenticate section of radiusd.conf > modcall: entering group kerberos for request 4 > rlm_krb5: Attribute "User-Password" is required for authentication. > modcall[authenticate]: module "krb5" returns invalid for request 4 > modcall: leaving group kerberos (returns invalid) for request 4 > auth: Failed to validate the user. > > > [EMAIL PROTECTED] wrote: > >> no. you dont need to use the users file for the userid/password. you >> simply need to ensure that the krb5 module is in the Authorize >> section and that you have PAP enabled...and that you are using EAP-TTLS >> with PAP inner method. >> so....your FR config needs at least the following configs... >> radiusd.conf >> in the authorize section >> krb5 { >> } >> in the authenticate section (radiusd.conf for 1.1.x, sites-enabled/default >> for 2.x) >> Auth-Type krb5 { >> krb5 >> } >> you MAY configure krb5 in radiusd.... we havent found this actually >> necessary(!) >> # krb5 { >> # keytab = /path/to/keytab >> # service_principal = name_of_principle >> # } >> finally. if you are facing issues and you dont help with supplying a log >> file then please ensure that your RADIUS request isnt being b0rked >> by something in the users file eg >> DEFAULT Auth-Type = System >> you can at least change this to.... >> DEFAULT Auth-Type = krb5 >> just for checking(!!) >> alan >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > -- > Lisa Besko > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html