0

Have a particular scenario in that we would like to use FreeRadius to log into switchs using Kerberos credentials and network devices using EAP-TLS.

Currently have this configured and working, but only one at a time. So I can log into switch's using the Kerberos details, and you get a radius accept back. When a device uses EAP-TLS it will take the machine name and try to authenticate against Kerberos using the name, but subsequently fails because there is no password.

If I comment out the line for 'files', for example, in site-available/default, the user file is no longer read and the 'default = auth-type kerberos' is therefore no longer used. Will then subsequently get a radius accept back for all eap-tls requests.

So my apologies for not posting any config or debug information but it is not possible to share this information, but on request can manually type any element required.

So my question is, does anyone know how to simultaneously configure Freeradius to do switch management authentication using kerberos and network machine authentication using EAP-TLS.

Many thanks in advance.

mflammia
  • 1
  • 2

1 Answers1

0

Do not force Auth-Type for all cases - only for when you want to use Kerberos.

Often this could be by configuring "Auth-Type = Kerberos" rather than "Auth-Type := Kerberos" - the former will not force the attribute to be updated if it has already been set by EAP.

Alternatively, don't set Auth-Type with the files module, but do it in unlang, e.g. with something like

if (!Auth-Type) {
    update control {
        Auth-Type := Kerberos
    }
}

after eap has been called. Rather than saying "if (!Auth-Type)" you might instead want to make that specific to the requests that should use Kerberos, e.g. by checking the Packet-Src-IP-Address / NAS-Identifier / Huntgroup / etc.

Matthew Newton
  • 137
  • 7