On Feb 9, 2009, at 4:05 PM, sth wrote:
I'd like to integrate the function of an older RADIUS server (FR
1.0.1)
into the new one (FR 2.1.3), which handles 802.1X. The old FR box
handles authentication for a VPN concentrator. It has some static
users
defined, then defaults to PAM (which, in this context, means krb5).
Krb5
works fine on the FR 2.1.3 config if I append:
DEFAULT Auth-Type := Kerberos
to the users file. Doing so breaks all tunneled EAP methods (which
reading leads me to believe is predictable). Using PAM gives similar
results, and I figured it better to use FR's native krb5 support
anyway.
I started down the path indicated in a seemingly-similar thread[3]
from
February of 2008, but my understanding of FR is still not good enough
that I can parlay those (mostly FR1.x) instructions into a valid FR2.x
config, in spite of Phil Mayers' general comments re: using 2.x's
virtual server functionality.
Are EAP and DEFAULTs mutually-exclusive? If not, what's the most
effective way to approach this? Your thoughts on the matter are
appreciated. I apologize in advance if there's already a wiki page or
thread that deals with this, and accept links to such posts with great
gusto. :-)
One way would be to not manually set Auth-Type in the users file and
instead use unlang:
authorize {
...
update control {
Auth-Type = Kerberos
}
}
This would set Auth-Type to Kerberos if and only if no other modules
in the authorize section (such as files or eap) set Auth-Type.
See 'man unlang' for more details.
Mike Loosbrock
Bethel University Network Services
651-638-6723
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
