(RADIATOR) initial run using simple.cfg with NAS client added fails
Jeff Wolfe
wolfe at ems.psu.edu
Fri Dec 23 13:47:28 CST 2005
Joon Yun wrote:
> Hi Jeff,
>
> Yes I read that somewhere but after many attempts and continued success
> with a kinit on the radiator box using the same username and password,
> I am 99% sure I have the right password.
I'm sure you are entering the correct password. But, if you're not using
EAP-TTLS with PAP, the "password" that Radiator unpacks from the
EAP-TTLS Access-Request and then passes to Kerberos will not be your
plaintext password.
If you look at your log output from radiator, the "User-Password" field
in the Access-Request is not your plaintext password. That's why I think
you have a problem with your TTLS interior auth protocol.
By the way, if you save trace 4 logs of TTLS-PAP sessions, be aware that
your plaintext password will be in the logs. You should make sure you
remove it before you send it to the list.. :)
> I was actually getting these results using the radpwtst application and
> a Cisco Clean Access Server acting as a NAS because it has an
> authentication testing tool. I am embarrassed to say I was not aware I
> should be testing with an EAP/TTLS-PAP client. I will try it now with
> my XP box (SecureW2) and my Mac OS X box (builtin supplicant) and let
> you all know if I have success. Thanks for your continued insights.
Ah.. Yeah, that could lead to unexpected behavior.. :)
-JEff
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list