
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>


</head>


<body dir="ltr">


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


Greetings,</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


<br>


</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


We had our FreeIPA configuration implode a while back, so the decision was made to switch our Linux servers to using realm and sssd for authentication.  No real issues until they switched the server that Radiator was running on, which broke wireless authentication:</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


<br>


</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted0" style="font-variant-ligatures:no-common-ligatures">Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected for adoe2: EAP MSCHAP-V2 Authentication failure</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted0" style="font-variant-ligatures:no-common-ligatures">Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected for adoe2: PEAP Authentication Failure</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted0" style="font-variant-ligatures:no-common-ligatures">Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: NTLM Could not authenticate user 'adoe2': The specified account


 does not exist.</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted0" style="font-variant-ligatures:no-common-ligatures">Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17 14:01:15 2023: wifi: FAIL: adoe2: adoe2: 140.107.6.10:


 cf-wlc: Access-Request: a4-83-e7-58-60-75: a0-93-51-a9-fc-c0:Marconi</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted0" style="font-variant-ligatures:no-common-ligatures">Jun 17 14:01:15 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17 14:01:15 2023: wifi: FAIL: adoe2: adoe2: : cf-wlc: Access-Request:


 a4-83-e7-58-60-75:<span class="Apple-converted-space ContentPasted0"> </span></span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted0" style="font-variant-ligatures:no-common-ligatures">Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected for jdoe: EAP MSCHAP-V2 Authentication failure</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted0" style="font-variant-ligatures:no-common-ligatures">Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Access rejected for jdoe: PEAP Authentication Failure</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted0" style="font-variant-ligatures:no-common-ligatures">Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: NTLM Could not authenticate user 'jdoe': The specified account


 does not exist.</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted0" style="font-variant-ligatures:no-common-ligatures">Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17 14:01:16 2023: wifi: FAIL: jdoe: jdoe: 140.107.6.10:


 cf-wlc: Access-Request: 3c-22-fb-e2-d1-70: 68-3b-78-d6-5c-20:Marconi</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted0" style="font-variant-ligatures:no-common-ligatures">Jun 17 14:01:16 scooby /opt/radiator/radiator/radiusd[42339]: Sat Jun 17 14:01:16 2023: wifi: FAIL: jdoe: jdoe: : cf-wlc: Access-Request:


 3c-22-fb-e2-d1-70:<span class="Apple-converted-space ContentPasted0"> </span></span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted0" style="font-variant-ligatures:no-common-ligatures">Jun 17 14:01:17 scooby /opt/radiator/radiator/radiusd[42339]: NTLM Could not authenticate user 'jsmith': The specified account


 does not exist.</span></p>


<br>


</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


So, I logged in to see what changes were made and concluded that switching to realm  / sssd meant that since our wifi was using PEAP and AuthBy NTLM .... that wouldn't work any longer.  Anyway, I reverted to the previous configuration (snapshots are great). 


 So, the immediate problem is solved.  </div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


<br>


</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


The real question -- can I redo my PEAP configuration to work with Kerberos?  Looking at the samples in goodies, I see krb5.conf, but it contains: 


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted2" style="font-variant-ligatures:no-common-ligatures"># Works with RADIUS-PAP, TTLS-PAP.  </span></p>


</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


<br>


</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


I see the heimdal config, but am not sure how that relates to Kerberos.  Can I refashion that to work with my AD?</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


<br>


</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


Handler section from my radiator config:</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


<br>


</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures">#####################################################################</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"># Handlers</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures">#####################################################################</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures">#</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures">#### Wireless Clients using PEAP #####</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"># The most popular method, suported by default by Windows.<span class="Apple-converted-space ContentPasted1"> 


</span>Does not require a client-side cert and is thus considered less secure</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"># than EAP-TLS</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><Handler TunnelledByPEAP=1></span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">       


</span>RejectHasReason</span></p>


<p class="p2" style="margin:0px;font:14px Menlo;min-height:16px"><span class="s1" style="font-variant-ligatures:no-common-ligatures"></span><br class="ContentPasted1">


</p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">       


</span>AuthLog wifi-authlog</span></p>


<p class="p2" style="margin:0px;font:14px Menlo;min-height:16px"><span class="s1" style="font-variant-ligatures:no-common-ligatures"></span><br class="ContentPasted1">


</p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">       


</span><AuthBy NTLM></span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>include /etc/radiator/eap.txt</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>NtlmAuthProg<span class="Apple-converted-space ContentPasted1">  </span>/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>Domain XXXXX</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>DefaultDomain XXXXX</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>EAPType MSCHAP-V2<span class="Apple-converted-space ContentPasted1"> </span></span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="Apple-converted-space ContentPasted1" style="font-variant-ligatures: no-common-ligatures;">        </span><span style="font-variant-ligatures: no-common-ligatures;"></AuthBy></span><br>


</p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"></Handler></span></p>


<p class="p2" style="margin:0px;font:14px Menlo;min-height:16px"><span class="s1" style="font-variant-ligatures:no-common-ligatures"></span><br class="ContentPasted1">


</p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures">#### Outer Handler #####</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"># When clients check the 'Validate Server Certificate' (or equivalent), then this stanza plays a key role</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><Handler></span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">       


</span>AuthByPolicy<span class="Apple-converted-space ContentPasted1">    </span>


ContinueUntilAccept</span></p>


<p class="p2" style="margin:0px;font:14px Menlo;min-height:16px"><span class="s1" style="font-variant-ligatures:no-common-ligatures"></span><br class="ContentPasted1">


</p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">       


</span>AuthLog wifi-authlog</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">       


</span>RejectHasReason</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">       


</span><AuthBy FILE></span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>Filename %D/users.anonymous</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>EAPType PEAP,TTLS</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>EAPTLS_PEAPVersion 0</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>include /etc/radiator/eap.txt</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>EAPTLS_CertificateType PEM</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures">#<span class="Apple-converted-space ContentPasted1">               


</span>EAPTLS_PrivateKeyPassword everwhat</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>EAPTLS_MaxFragmentSize 1024</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>EAPTLS_SecurityLevel 1</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>EAPTLS_Ciphers DEFAULT@SECLEVEL=1</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>EAPTLS_Protocols TLSv1, TLSv1.1, TLSv1.2</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>EAPAnonymous %0</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>AutoMPPEKeys</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">               


</span>SSLeayTrace 4</span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space ContentPasted1">       


</span></AuthBy></span></p>


<p class="p1" style="margin:0px;font:14px Menlo"><span class="s1 ContentPasted1" style="font-variant-ligatures:no-common-ligatures"></Handler></span></p>


<p class="p2" style="margin:0px;font:14px Menlo;min-height:16px"><span class="s1" style="font-variant-ligatures:no-common-ligatures"></span><br class="ContentPasted1">


</p>


Any help or hints would be greatly appreciated.  </div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


<br>


</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


Thank you!</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


<br>


</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


<span>      </span><span>      </span><span>      </span><span>      </span><span>      -p</span><br>


</div>


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">


<span><br>


</span></div>


<div class="elementToProof">


<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">


<br>


</div>


<div id="Signature">


<div>


<div class="WordSection1">


<p class="MsoNormal"><b><span style="font-size: 10.5pt; background: white; color: rgb(18, 48, 84);">Pat Hirayama</span></b><span style="font-size: 10pt; color: rgb(18, 48, 84);"><br>


<span style="background: white;"><span style="font-variant-ligatures: normal;

font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;

text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;

float:none;word-spacing:0px">Pronouns:


 he/him/his <br>


Systems Engineer</span><br>


<span style="font-variant-ligatures: normal;font-variant-caps: normal;

orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;

text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;

float:none;word-spacing:0px">IT


 | Systems Engineering</span><br>


<span style="font-variant-ligatures: normal;font-variant-caps: normal;

orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;

text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;

float:none;word-spacing:0px">Fred


 Hutchinson Cancer Center</span><br style="box-sizing: inherit;font-variant-ligatures: normal;font-variant-caps: normal;

orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;

text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;

word-spacing:0px">


<b><span style="box-sizing: inherit;font-variant-ligatures: normal;font-variant-caps: normal;

orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;

text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;

word-spacing:0px">O</span></b><span style="font-variant-ligatures: normal;

font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;

text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;

float:none;word-spacing:0px"> 206.667.4856<o:p></o:p></span></span></span></p>


<p class="MsoNormal"><span style="font-size: 10pt; background: white; color: rgb(18, 48, 84);"><a href="mailto:phirayam@fredhutch.org">phirayam@fredhutch.org</a><o:p></o:p></span></p>


<p class="MsoNormal"><o:p> </o:p></p>


</div>


</div>


</div>


</div>


</body>


</html>