thank you, now it is much more clear to me
Rick
Alan DeKok wrote:
Riccardo Veraldi wrote:
if I configure freeradius2 with krb5 authentication and I use the
following users file,
the authentication works using radtest
DEFAULT Auth-Type := Kerberos
See "man users" about the ":=" operator. This *forces* Kerberos
authentication.
See also my web page on password compatibility. Kerberos isn't on
there, but it would look the same as the row showing CHAP.
http://deployingradius.com/documents/protocols/compatibility.html
but it fails using EAP (EAP-TTLS) telling USer-PAssword attribute is
missing...
Yes... Kerberos takes a password entered by the user, and does
kerberos magic with it. There is *no* password in EAP. So Kerberos
doesn't work.
if I instead use the following users file:
DEFAULT Auth-Type = Kerberos
both radtest and EAP authentication works, and thtat's good, but why ?
As always, read the debugging output. It *tells* you why.
In short, the "=" operator says "try Kerberos, but ONLY if nothing
else is supposed to authenticate the user".
This means that the EAP module handles EAP, as it's supposed to. The
"inner-tunnel" virtual server then gets a password *inside* of the TTLS
tunnel. That password is used for kerberos authentication.
*Please* go read the debug output and compare it to the above
description. While it's complicated, it is the best way to understand
what's going on.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
