Configuring FreeRADIUS for Authentication against Kerberos

Thank you to Jeff Hagley at Internet2 and Joy Veronneau at Cornell for contributing to these instructions.
If you have any questions or comments regarding these instructions please contact the eduroam-US Team and we will work with you to assist as much as possible.

Description

Many institutions use Kerberos authentication on their network and to join eduroam-US they will need to configure FreeRADIUS to interface with their existing Kerberos infrastructure.  This document assumes that the FreeRADIUS server you are installing is the primary radius server for your organization.

Instructions

For the following instructions the following RPMs were used for RedHat on a REHL5 machine

  • freeradius2-2.1.7-7.el5.x86_64.rpm
  • freeradius2-krb5-2.1.7-7.el5.x86_64.rpm
  • freeradius2-utils-2.1.7-7.el5.x86_64.rpm

For Kerberos authentication I needed to make a keytab file for the RADIUS server. This needs to be done with the Kerberos administration tool kadmin. Once that is done export the keytab file to the RADIUS server and make it readable only by root and the user under which the radius server runs (radiusd for the Red Hat RPMs).

Next you must make sure that Kerberos is properly configured on the server. Edit the file /etc/raddb/modules/krb5 so that the keytab and principal fields are properly filled out. At the top of your users file add the following line (without quotes) “DEFAULT Auth-Type = Kerberos”

Under eap.conf you need to properly setup TTLS with PAP authentication since Kerberos authentication will only work with this pairing of EAP methods. The following is how the eap.conf should look.  Be sure to verify the paths to the SSL/TLS certificates below and that the files are readable by the radiusd user.

eap {
  default_eap_type = ttls
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = 2048
 
  tls {
    certdir = ${confdir}/certs
    cadir = ${confdir}/certs
    private_key_file = ${certdir}/serverkey.key
    certificate_file = ${certdir}/servercert.cert
    dh_file = ${certdir}/dh
    random_file = ${certdir}/random
    cipher_list = "DEFAULT"
    make_cert_command = "${certdir}/bootstrap"
    cache {
    enable = no
    max_entries = 255
  }
 
  ttls {
    default_eap_type = md5
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
    virtual_server = "inner-tunnel"
  }
}

Your proxy.conf file should look like this for eduroam. If you are not configuring FreeRADIUS as the primary RADIUS server for your instittution your proxy.conf file will look different.  Be sure to replace the secrets with those secrets you assign for local access and those you exchange with the eduroam-US team (this is particularly easy to overlook and can cause debugging headaches).

proxy server {
  default_fallback = no
}
 
home_server localhost {
  type = auth
  ipaddr = 127.0.0.1
  secret = <your_local_secret>
}
 
realm NULL {
}
 
realm LOCAL {
}
 
realm realm.edu {
  type = radius
  authhost = LOCAL
  accthost = LOCAL
}
	 
realm DEFAULT {
  type = radius
  authhost = <eduroam-US top level server(s)>
  accthost = <eduroam-US top level server(s)>
  secret = <your_eduroam_secret>
  nostrip
}

Next you need to modify the inner-tunnel and default files under /etc/raddb/sites-available. In both files under the authenticate section and right below the PAP configuration line add the following:

Auth-Type Kerberos {
  krb5
}