(RADIATOR) initial run using simple.cfg with NAS client added fails

[Jeff Wolfe]

Joon Yun wrote:
> Hi Jeff,
> 
> Yes I read that somewhere but after many attempts and continued success  
> with a kinit on the radiator box using the same username and password,  
> I am 99% sure I have the right password.

I'm sure you are entering the correct password. But, if you're not using 
EAP-TTLS with PAP, the "password" that Radiator unpacks from the 
EAP-TTLS Access-Request and then passes to Kerberos will not be your 
plaintext password.

If you look at your log output from radiator, the "User-Password" field 
in the Access-Request is not your plaintext password. That's why I think 
you have a problem with your TTLS interior auth protocol.

By the way, if you save trace 4 logs of TTLS-PAP sessions, be aware that 
your plaintext password will be in the logs. You should make sure you 
remove it before you send it to the list.. :)

> I was actually getting these results using the radpwtst application and  
> a Cisco Clean Access Server acting as a NAS because it has an  
> authentication testing tool. I am embarrassed to say I was not aware I  
> should be testing with an EAP/TTLS-PAP client. I will try it now with  
> my XP box (SecureW2) and my Mac OS X box (builtin supplicant) and let  
> you all know if I have success. Thanks for your continued insights.

Ah.. Yeah, that could lead to unexpected behavior.. :)

-JEff

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.