4 This is an implementation of the GSS EAP mechanism, as described in
5 draft-ietf-abfab-gss-eap-01.txt.
10 In order to build this, a recent Kerberos implementation (MIT or
11 Heimdal), Shibboleth, and EAP libraries are required, along with
12 all of their dependencies.
14 Note: not all SPIs are supported by the Heimdal mechanism glue,
15 so not all features will be available.
23 When installing, be sure to edit $prefix/etc/gss/mech to register
24 the EAP mechanisms. A sample configuration file is in this directory.
25 You may need to specify an absolute path.
30 Make sure your RADIUS library is configured to talk to the server of
31 your choice: see the example radsec.conf in this directory. If you
32 want to use TCP or TLS, you'll need to run radsecproxy in front of
38 These instructions apply to FreeRADIUS only, which is downloadable
39 from http://freeradius.org/. After configure, make, install, do the
42 On the RADIUS server side, you need to install dictionary.ukerna and
43 include it from the main dictionary file. Do this by adding:
45 $INCLUDE dictionary.ukerna
47 to $prefix/share/freeradius/dictionary.
49 Edit $prefix/etc/raddb/users to add your test user and password:
51 bob@PROJECT-MOONSHOT.ORG Cleartext-Password := secret
53 Edit $prefix/etc/raddb/attrs to permit the release of keying attributes,
54 by commenting out or removing the following:
56 # MS-MPPE-Recv-Key =* ANY,
57 # MS-MPPE-Send-Key =* ANY,
58 # MS-CHAP-MPPE-Keys =* ANY,
60 Add an entry for your acceptor to $prefix/etc/raddb/clients.conf:
65 require_message_authenticator = yes
68 Edit $prefix/etc/raddb/eap.conf and set:
72 default_eap_type = ttls
77 private_key_file = ...
78 certificate_file = ...
81 default_eap_type = mschapv2
82 copy_request_to_tunnel = no
83 use_tunneled_reply = no
84 virtual_server = "inner-tunnel"
91 If you want the acceptor be able to identify the user, the RADIUS
92 server needs to echo back the EAP username from the inner tunnel;
93 for privacy, mech_eap only sends the realm in the EAP Identity
94 response. To configure this with FreeRADIUS, add:
97 User-Name = "%{request:User-Name}"
100 If you want to add a SAML assertion, do this with "update reply"
101 in $prefix/etc/raddb/sites-available/default:
104 SAML-AAA-Assertion = '<saml:Assertion ...'
105 SAML-AAA-Assertion += '...'
108 You'll need to split it into multiple lines because of the RADIUS
109 attribute size limit.
114 You can then test the MIT or Cyrus GSS and SASL example programs.
115 Sample usage is given below. Substitute <user>, <pass> and <host>
116 appropriately (<host> is the name of the host running the server,
117 not the RADIUS server).
119 % gss-client -port 5555 -spnego -mech "{1 3 6 1 4 1 5322 22 1 18}" \
120 -user <user> -pass <pass> <host> host@<host> "Testing GSS EAP"
121 % gss-server -port 5555 -export host@<host>
123 Note: for SASL you will be prompted for a username and password.
125 % client -C -p 5556 -s host -m EAP-AES128 <host>
126 % server -c -p 5556 -s host -h <host>
128 To test fast reauthentication support, add the following to
133 reauth_use_ccache = TRUE
136 This will store a Kerberos ticket for a GSS-EAP authenticated user
137 in a credentials cache, which can then be used for re-authentication
138 to the same acceptor. You must have a valid keytab configured.