otp over radius preauthentication

Frederic Van Espen frederic.ve at gmail.com
Thu May 8 14:50:15 EDT 2014


Dear list,

I'm trying to set up otp over radius preauthentication (with a
yubikey) and am hitting some issue I can't wrap my head around.

The PKINIT part seems to work fine, i.e. I can do kinit -n -c ./armor
which gives me ticket cache with a ticket I can use for FAST armor.

I then run kinit -T ./armor <username>. This prompts me for the OTP
Token. I this point I enter the password of the user, immediately
followed by the OTP from the yubikey. In the FreeRADIUS logs I see
that the OTP is first validated correctly and then the user password
is properly authenticated against LDAP:
==> kerberos/krb5kdc.log <==
May 08 20:42:55 obelix-clone krb5kdc[21126](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 172.16.35.65: NEEDED_PREAUTH:
fes at ICT-DEV.ESCAUX.COM for
krbtgt/ICT-DEV.ESCAUX.COM at ICT-DEV.ESCAUX.COM, Additional
pre-authentication required

==> freeradius/radius.log <==
Waking up in 0.9 seconds.
Thread 3 got semaphore
Thread 3 handling request 2, (1 handled so far)
[<thread>] # Executing section authorize from file
/etc/freeradius/sites-enabled/default
[<thread>] +- entering group authorize {...}
++[preprocess] returns ok
rlm_perl: OTP is valid: ccccccdbkebjtfevnkcrnuugntghbhthjdlkfvjdfnll
rlm_perl: fes has valid OTP: ccccccdbkebjtfevnkcrnuugntghbhthjdlkfvjdfnll
rlm_perl: Added pair User-Name = fes
rlm_perl: Added pair User-Password = testingpassword
rlm_perl: Added pair NAS-Identifier = obelix-clone
rlm_perl: Added pair Service-Type = Authenticate-Only
rlm_perl: Added pair NAS-IP-Address = 172.16.35.65
++[perl] returns ok
++? if (ok)
? Evaluating (ok) -> TRUE
++? if (ok) -> TRUE
++- entering if (ok) {...}
+++[control] returns ok
++- if (ok) returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "fes", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "fes" with password "testingpassword"
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> fes
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=fes)
[ldap] expand: ou=People,dc=escaux,dc=com -> ou=People,dc=escaux,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=People,dc=escaux,dc=com, with filter (uid=fes)
  [ldap] ldap_release_conn: Release Id: 0
[ldap] user DN: uid=fes,ou=People,dc=escaux,dc=com
  [ldap] (re)connect to localhost:389, authentication 1
  [ldap] bind as uid=fes,ou=People,dc=escaux,dc=com/testingpassword to
localhost:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user fes authenticated succesfully
++[ldap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
rlm_perl: Added pair User-Name = fes
rlm_perl: Added pair NAS-Identifier = obelix-clone
rlm_perl: Added pair User-Password = testingpassword
rlm_perl: Added pair Service-Type = Authenticate-Only
rlm_perl: Added pair NAS-IP-Address = 172.16.35.65
rlm_perl: Added pair Ldap-UserDn = uid=fes,ou=People,dc=escaux,dc=com
rlm_perl: Added pair Auth-Type = LDAP
++[perl] returns ok
++[exec] returns noop
Finished request 2.
Going to the next request
Thread 3 waiting to be assigned a request

==> kerberos/krb5kdc.log <==
May 08 20:43:02 obelix-clone krb5kdc[21126](info): DISPATCH: repeated
(retransmitted?) request from 172.16.35.65, resending previous
response
May 08 20:43:02 obelix-clone krb5kdc[21126](info): closing down fd 15

==> freeradius/radius.log <==
Waking up in 4.6 seconds.

==> kerberos/krb5kdc.log <==
May 08 20:43:03 obelix-clone krb5kdc[21126](info): preauth (otp)
verify failure: Connection timed out
May 08 20:43:03 obelix-clone krb5kdc[21126](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 172.16.35.65: PREAUTH_FAILED:
fes at ICT-DEV.ESCAUX.COM for
krbtgt/ICT-DEV.ESCAUX.COM at ICT-DEV.ESCAUX.COM, Preauthentication failed
May 08 20:43:03 obelix-clone krb5kdc[21126](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 172.16.35.65: NEEDED_PREAUTH:
fes at ICT-DEV.ESCAUX.COM for
krbtgt/ICT-DEV.ESCAUX.COM at ICT-DEV.ESCAUX.COM, Additional
pre-authentication required

==> freeradius/radius.log <==
Cleaning up request 2 ID 62 with timestamp +194
Ready to process requests.





Even when tracing the requests to FreeRADIUS I see that the
Access-Accept packet is sent by radius.

However, at this point it prompts again for the OTP token. Again I
enter the users password, followed by the yubikey token, resulting in
this in the logs:






Waking up in 0.9 seconds.
Thread 2 got semaphore
Thread 2 handling request 3, (1 handled so far)
[<thread>] # Executing section authorize from file
/etc/freeradius/sites-enabled/default
[<thread>] +- entering group authorize {...}
++[preprocess] returns ok
rlm_perl: OTP is valid: ccccccdbkebjgeeelkhnctrvehrbuciddfjkuvdhjvir
rlm_perl: fes has valid OTP: ccccccdbkebjgeeelkhnctrvehrbuciddfjkuvdhjvir
rlm_perl: Added pair User-Name = fes
rlm_perl: Added pair User-Password = testingpassword
rlm_perl: Added pair NAS-Identifier = obelix-clone
rlm_perl: Added pair Service-Type = Authenticate-Only
rlm_perl: Added pair NAS-IP-Address = 172.16.35.65
++[perl] returns ok
++? if (ok)
? Evaluating (ok) -> TRUE
++? if (ok) -> TRUE
++- entering if (ok) {...}
+++[control] returns ok
++- if (ok) returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "fes", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "fes" with password "testingpassword"
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> fes
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=fes)
[ldap] expand: ou=People,dc=escaux,dc=com -> ou=People,dc=escaux,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=People,dc=escaux,dc=com, with filter (uid=fes)
  [ldap] ldap_release_conn: Release Id: 0
[ldap] user DN: uid=fes,ou=People,dc=escaux,dc=com
  [ldap] (re)connect to localhost:389, authentication 1
  [ldap] bind as uid=fes,ou=People,dc=escaux,dc=com/testingpassword to
localhost:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user fes authenticated succesfully
++[ldap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
rlm_perl: Added pair User-Name = fes
rlm_perl: Added pair NAS-Identifier = obelix-clone
rlm_perl: Added pair User-Password = testingpassword
rlm_perl: Added pair Service-Type = Authenticate-Only
rlm_perl: Added pair NAS-IP-Address = 172.16.35.65
rlm_perl: Added pair Ldap-UserDn = uid=fes,ou=People,dc=escaux,dc=com
rlm_perl: Added pair Auth-Type = LDAP
++[perl] returns ok
++[exec] returns noop
Finished request 3.
Going to the next request
Thread 2 waiting to be assigned a request
Waking up in 4.6 seconds.

==> kerberos/krb5kdc.log <==
May 08 20:43:17 obelix-clone krb5kdc[21126](info): preauth (otp)
verify failure: Connection timed out
May 08 20:43:17 obelix-clone krb5kdc[21126](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 172.16.35.65: PREAUTH_FAILED:
fes at ICT-DEV.ESCAUX.COM for
krbtgt/ICT-DEV.ESCAUX.COM at ICT-DEV.ESCAUX.COM, Preauthentication failed

==> freeradius/radius.log <==
Cleaning up request 3 ID 145 with timestamp +208
Ready to process requests.




During all this, here's the trace output of kinit:
fes at obelix-clone:~$ KRB5_TRACE=/dev/stderr kinit -T ./armor fes
[21218] 1399574575.801684: Getting initial credentials for
fes at ICT-DEV.ESCAUX.COM
[21218] 1399574575.815821: FAST armor ccache: ./armor
[21218] 1399574575.816193: Retrieving
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krb5_ccache_conf_data/fast_avail/krbtgt\/ICT-DEV.ESCAUX.COM\@ICT-DEV.ESCAUX.COM at X-CACHECONF:
from FILE:./armor with result: 0/Success
[21218] 1399574575.816290: Read config in FILE:./armor for
krbtgt/ICT-DEV.ESCAUX.COM at ICT-DEV.ESCAUX.COM: fast_avail: yes
[21218] 1399574575.816386: Using FAST due to armor ccache negotiation result
[21218] 1399574575.816488: Getting credentials
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krbtgt/ICT-DEV.ESCAUX.COM at ICT-DEV.ESCAUX.COM using ccache FILE:./armor
[21218] 1399574575.816631: Retrieving
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krbtgt/ICT-DEV.ESCAUX.COM at ICT-DEV.ESCAUX.COM from FILE:./armor with
result: 0/Success
[21218] 1399574575.816744: Armor ccache sesion key: aes256-cts/5CFB
[21218] 1399574575.816890: Creating authenticator for
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krbtgt/ICT-DEV.ESCAUX.COM at ICT-DEV.ESCAUX.COM, seqnum 0, subkey
aes256-cts/BC7E, session key aes256-cts/5CFB
[21218] 1399574575.817176: FAST armor key: aes256-cts/2F12
[21218] 1399574575.817293: Encoding request body and padata into FAST request
[21218] 1399574575.817440: Sending request (988 bytes) to ICT-DEV.ESCAUX.COM
[21218] 1399574575.817549: Resolving hostname kerberos.ict-dev.escaux.com
[21218] 1399574575.817919: Sending initial UDP request to dgram 172.16.35.65:88
[21218] 1399574575.819180: Received answer (633 bytes) from dgram
172.16.35.65:88
[21218] 1399574575.851231: Response was not from master KDC
[21218] 1399574575.851287: Received error from KDC:
-1765328359/Additional pre-authentication required
[21218] 1399574575.851301: Decoding FAST response
[21218] 1399574575.851425: Processing preauth types: 16, 15, 14, 136,
147, 141, 133, 137
[21218] 1399574575.851433: Received cookie: MIT
[21218] 1399574575.851479: PKINIT client has no configured identity; giving up
[21218] 1399574575.851538: Preauth module pkinit (147) (info)
returned: 0/Success
[21218] 1399574575.851564: PKINIT client has no configured identity; giving up
[21218] 1399574575.851575: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[21218] 1399574575.851597: PKINIT client has no configured identity; giving up
[21218] 1399574575.851607: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[21218] 1399574575.851628: PKINIT client has no configured identity; giving up
[21218] 1399574575.851640: Preauth module pkinit (14) (real) returned:
22/Invalid argument
Enter OTP Token Value:
[21218] 1399574581.453094: Preauth module otp (141) (real) returned: 0/Success
[21218] 1399574581.453111: Produced preauth for next request: 133, 142
[21218] 1399574581.453120: Encoding request body and padata into FAST request
[21218] 1399574581.453253: Sending request (1178 bytes) to ICT-DEV.ESCAUX.COM
[21218] 1399574581.453305: Resolving hostname kerberos.ict-dev.escaux.com
[21218] 1399574581.453440: Sending initial UDP request to dgram 172.16.35.65:88
[21218] 1399574582.454048: Initiating TCP connection to stream 172.16.35.65:88
[21218] 1399574582.454251: Sending TCP request to stream 172.16.35.65:88
[21218] 1399574582.454957: TCP error receiving from stream
172.16.35.65:88: 104/Connection reset by peer
[21218] 1399574582.454973: Terminating TCP connection to stream 172.16.35.65:88
[21218] 1399574583.957324: Received answer (633 bytes) from dgram
172.16.35.65:88
[21218] 1399574583.979364: Response was not from master KDC
[21218] 1399574583.979462: Received error from KDC:
-1765328360/Preauthentication failed
[21218] 1399574583.979474: Decoding FAST response
[21218] 1399574583.979594: Preauth tryagain input types: 16, 14, 14,
136, 147, 141, 133, 137
[21218] 1399574583.979633: Retrying AS request with master KDC
[21218] 1399574583.979644: Getting initial credentials for
fes at ICT-DEV.ESCAUX.COM
[21218] 1399574583.979691: FAST armor ccache: ./armor
[21218] 1399574583.979798: Retrieving
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krb5_ccache_conf_data/fast_avail/krbtgt\/ICT-DEV.ESCAUX.COM\@ICT-DEV.ESCAUX.COM at X-CACHECONF:
from FILE:./armor with result: 0/Success
[21218] 1399574583.979811: Read config in FILE:./armor for
krbtgt/ICT-DEV.ESCAUX.COM at ICT-DEV.ESCAUX.COM: fast_avail: yes
[21218] 1399574583.979820: Using FAST due to armor ccache negotiation result
[21218] 1399574583.979839: Getting credentials
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krbtgt/ICT-DEV.ESCAUX.COM at ICT-DEV.ESCAUX.COM using ccache FILE:./armor
[21218] 1399574583.979890: Retrieving
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krbtgt/ICT-DEV.ESCAUX.COM at ICT-DEV.ESCAUX.COM from FILE:./armor with
result: 0/Success
[21218] 1399574583.979910: Armor ccache sesion key: aes256-cts/5CFB
[21218] 1399574583.979945: Creating authenticator for
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS ->
krbtgt/ICT-DEV.ESCAUX.COM at ICT-DEV.ESCAUX.COM, seqnum 0, subkey
aes256-cts/4335, session key aes256-cts/5CFB
[21218] 1399574583.980034: FAST armor key: aes256-cts/2FC1
[21218] 1399574583.980058: Encoding request body and padata into FAST request
[21218] 1399574583.980128: Sending request (988 bytes) to
ICT-DEV.ESCAUX.COM (master)
[21218] 1399574583.999156: Resolving hostname obelix-clone.ict-dev.escaux.com.
[21218] 1399574583.999279: Sending initial UDP request to dgram 172.16.35.65:88
[21218] 1399574584.1295: Received answer (631 bytes) from dgram 172.16.35.65:88
[21218] 1399574584.1359: Received error from KDC:
-1765328359/Additional pre-authentication required
[21218] 1399574584.1373: Decoding FAST response
[21218] 1399574584.1470: Processing preauth types: 16, 15, 14, 136,
147, 141, 133, 137
[21218] 1399574584.1478: Received cookie: MIT
[21218] 1399574584.1522: PKINIT client has no configured identity; giving up
[21218] 1399574584.1556: Preauth module pkinit (147) (info) returned: 0/Success
[21218] 1399574584.1581: PKINIT client has no configured identity; giving up
[21218] 1399574584.1593: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[21218] 1399574584.1613: PKINIT client has no configured identity; giving up
[21218] 1399574584.1623: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[21218] 1399574584.1776: PKINIT client has no configured identity; giving up
[21218] 1399574584.1795: Preauth module pkinit (14) (real) returned:
22/Invalid argument
Enter OTP Token Value:
[21218] 1399574595.404839: Preauth module otp (141) (real) returned: 0/Success
[21218] 1399574595.404855: Produced preauth for next request: 133, 142
[21218] 1399574595.404863: Encoding request body and padata into FAST request
[21218] 1399574595.404965: Sending request (1178 bytes) to
ICT-DEV.ESCAUX.COM (master)
[21218] 1399574595.425367: Resolving hostname obelix-clone.ict-dev.escaux.com.
[21218] 1399574595.425460: Sending initial UDP request to dgram 172.16.35.65:88
[21218] 1399574597.928793: Received answer (633 bytes) from dgram
172.16.35.65:88
[21218] 1399574597.928867: Received error from KDC:
-1765328360/Preauthentication failed
[21218] 1399574597.928878: Decoding FAST response
[21218] 1399574597.928986: Preauth tryagain input types: 16, 14, 14,
136, 147, 141, 133, 137
kinit: Preauthentication failed while getting initial credentials




Also here's krb5.conf:
root at obelix-clone:~# cat /etc/krb5.conf
[libdefaults]
default_realm = ICT-DEV.ESCAUX.COM

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[kdcdefaults]
kdc_tcp_ports = 88
restrict_anonymous_to_tgt = true

[realms]
ICT-DEV.ESCAUX.COM = {
kdc = kerberos.ict-dev.escaux.com:88
admin_server = kerberos.ict-dev.escaux.com
default_domain = ict-dev.escaux.com
pkinit_identity = FILE:/etc/krb5kdc/kdc.pem,/etc/krb5kdc/kdckey.pem
pkinit_anchors = FILE:/usr/local/share/ca-certificates/cacert.pem
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
}

[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA
.ict-dev.escaux.com = ICT-DEV.ESCAUX.COM
ict-dev.escaux.com = ICT-DEV.ESCAUX.COM

[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log

[otp]
DEFAULT = {
server = 172.16.35.65:1812
secret = /etc/krb5kdc/radius-secret
timeout = 5
retries = 1
strip_realm = true
}




I'm really at a loss here and could use some experienced eyes that can
help me set this up. I have looked at the guides of the few people
that explained how to set this up but have not seen anyone running
into the same issue.

Any help would be greatly appreciated!

Cheers,

Frederic


More information about the Kerberos mailing list