4 This is an implementation of the GSS EAP mechanism, as described in
5 draft-ietf-abfab-gss-eap-01.txt.
10 In order to build this, a recent Kerberos implementation (MIT or
11 Heimdal), Shibboleth, and EAP libraries are required, along with
12 all of their dependencies.
14 Note: not all SPIs are supported by the Heimdal mechanism glue,
15 so not all features will be available.
23 When installing, be sure to edit $prefix/etc/gss/mech to register
24 the EAP mechanisms. A sample configuration file is in this directory.
25 You may need to specify an absolute path.
30 Make sure your RADIUS library is configured to talk to the server of
31 your choice: see the example radsec.conf in this directory. If you
32 want to use TCP or TLS, you'll need to run radsecproxy in front of
38 These instructions apply to FreeRADIUS only, which is downloadable
39 from http://freeradius.org/. After configure, make, install, do the
42 On the RADIUS server side, you need to install dictionary.ukerna and
43 include it from the main dictionary file. Do this by adding:
45 $INCLUDE dictionary.ukerna
47 to $prefix/share/freeradius/dictionary.
49 Edit $prefix/etc/raddb/users to add your test user and password:
51 bob@PROJECT-MOONSHOT.ORG Cleartext-Password := secret
53 Add an entry for your acceptor to $prefix/etc/raddb/clients.conf:
58 require_message_authenticator = yes
61 Edit $prefix/etc/raddb/eap.conf and set:
65 default_eap_type = ttls
70 private_key_file = ...
71 certificate_file = ...
74 default_eap_type = mschapv2
75 copy_request_to_tunnel = no
76 use_tunneled_reply = no
77 virtual_server = "inner-tunnel"
84 If you want the acceptor be able to identify the user, the RADIUS
85 server needs to echo back the EAP username from the inner tunnel;
86 for privacy, mech_eap only sends the realm in the EAP Identity
87 response. To configure this with FreeRADIUS, add:
90 User-Name = "%{request:User-Name}"
93 If you want to add a SAML assertion, do this with "update reply"
94 in $prefix/etc/raddb/sites-available/default:
97 SAML-AAA-Assertion = '<saml:Assertion ...'
98 SAML-AAA-Assertion += '...'
101 You'll need to split it into multiple lines because of the RADIUS
102 attribute size limit.
107 You can then test the MIT or Cyrus GSS and SASL example programs.
108 Sample usage is given below. Substitute <user>, <pass> and <host>
109 appropriately (<host> is the name of the host running the server,
110 not the RADIUS server).
112 % gss-client -port 5555 -spnego -mech "{1 3 6 1 4 1 5322 22 1 18}" \
113 -user <user> -pass <pass> <host> host@<host> "Testing GSS EAP"
114 % gss-server -port 5555 -export host@<host>
116 Note: for SASL you will be prompted for a username and password.
118 % client -C -p 5556 -s host -m EAP-AES128 <host>
119 % server -c -p 5556 -s host -h <host>
121 To test fast reauthentication support, add the following to
126 reauth_use_ccache = TRUE
129 This will store a Kerberos ticket for a GSS-EAP authenticated user
130 in a credentials cache, which can then be used for re-authentication
131 to the same acceptor. You must have a valid keytab configured.