4 This is an implementation of the GSS EAP mechanism, as described in
5 draft-ietf-abfab-gss-eap-00.txt.
10 In order to build this, a recent Kerberos implementation (MIT or
11 Heimdal), Shibboleth, and EAP libraries are required, along with
12 all of their dependencies.
14 Note: not all SPIs are supported by the Heimdal mechanism glue,
15 so not all features will be available.
20 When installing, be sure to edit $prefix/etc/gss/mech to register
21 the EAP mechanisms. A sample configuration file is in this directory.
23 Make sure your RADIUS library is configured to talk to the server of
24 your choice: see the example radsec.conf in this directory.
26 On the RADIUS server side, you need to install dictionary.ukerna to
27 $prefix/etc/raddb and include it from the main dictionary file, by
30 $INCLUDE dictionary.ukerna
32 to $prefix/etc/raddb/dictionary. Make sure these files are world-
33 readable; they weren't in my installation.
35 Edit $prefix/etc/raddb/users to add your test user and password:
37 bob@PROJECT-MOONSHOT.ORG Cleartext-Password := secret
39 Add an entry for your acceptor to $prefix/etc/raddb/clients.conf:
44 require_message_authenticator = yes
47 Edit $prefix/etc/raddb/eap.conf and set:
51 default_eap_type = ttls
56 private_key_file = ...
57 certificate_file = ...
60 default_eap_type = mschapv2
61 copy_request_to_tunnel = no
62 use_tunneled_reply = no
63 virtual_server = "inner-tunnel"
70 If you want the acceptor be able to identify the user, the RADIUS
71 server needs to echo back the EAP username from the inner tunnel;
72 for privacy, mech_eap only sends the realm in the EAP Identity
73 response. To configure this with FreeRADIUS, add:
76 User-Name = "%{request:User-Name}"
79 to $prefix/etc/raddb/sites-enabled/inner-tunnel, and ensure that
81 virtual_server = "inner-tunnel"
83 is set in eap.conf for the desired EAP types.
85 To test the SAML assertion code path, you can place a fixed SAML
86 assertion in the update reply block of the default configuration.
89 SAML-AAA-Assertion = '<saml:Assertion ...'
90 SAML-AAA-Assertion += '...'
93 You'll need to split it into multiple lines because of the RADIUS
99 You can then test the MIT or Cyrus GSS and SASL example programs.
100 Sample usage is given below. Substitute <user>, <pass> and <host>
101 appropriately (<host> is the name of the host running the server,
102 not the RADIUS server).
104 % gss-client -port 5555 -spnego -mech "{1 3 6 1 4 1 5322 22 1 18}" \
105 -user <user> -pass <pass> <host> host@<host> "Testing GSS EAP"
106 % gss-server -port 5555 -export host@<host>
108 Note: for SASL you will be prompted for a username and password.
110 % client -C -p 5556 -s host -m EAP-AES128 <host>
111 % server -c -p 5556 -s host -h <host>