[RADIATOR] PEAP and Kerberos?
Heikki Vatiainen
hvn at open.com.au
Fri Jun 30 14:39:34 UTC 2023
This was discussed off-list too, but I thought I'd do a summary for the
benefit of the list members too.
> We had our FreeIPA configuration implode a while back, so the
> decision was made to switch our Linux servers to using realm and
> sssd for authentication. No real issues until they switched the
> server that Radiator was running on, which broke wireless
> authentication:
>
> Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Access
> rejected for adoe2: EAP MSCHAP-V2 Authentication failure
As far as I know, sssd does not support EAP-MSCHAP-V2, or any other
MSCHAP variation.
> The real question -- can I redo my PEAP configuration to work with
> Kerberos? Looking at the samples in goodies, I see krb5.conf, but it
> contains:
>
> # Works with RADIUS-PAP, TTLS-PAP.
I'd say the only way to do it with Linux is to use AuthBy NTLM running
on a Linux host that has Samba configured as an AD computer.
In other words, neither sssd nor Kerberos support NThash based MSCHAP or
its variants.
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
More information about the radiator
mailing list