Overview
========

This is an implementation of the GSS EAP mechanism, as described in
draft-ietf-abfab-gss-eap-00.txt.

Building
========

In order to build this, a recent Kerberos implementation (MIT or
Heimdal), Shibboleth, and EAP libraries are required, along with
all of their dependencies.

Note: not all SPIs are supported by the Heimdal mechanism glue,
so not all features will be available.

Installing
==========

When installing, be sure to edit $prefix/etc/gss/mech to register
the EAP mechanisms. A sample configuration file is in this directory.

Make sure your RADIUS library is configured to talk to the server of
your choice: see the example radsec.conf in this directory.

On the RADIUS server side, you need to install dictionary.ukerna and
include it from the main dictionary file. Your authentication policy
also needs to echo the EAP username back to the acceptor if you want
the acceptor to be able to identify the initiator.

Testing
=======

You can then test the MIT or Cyrus GSS and SASL example programs.
Sample usage is given below. Substitute <user>, <pass> and <host>
appropriately (<host> is the name of the host running the server,
not the RADIUS server).

% gss-client -port 5555 -spnego -mech "{1 3 6 1 4 1 5322 22 1 18}" \
  -user <user> -pass <pass> <host> host@<host> "Testing GSS EAP"
% gss-server -port 5555 -export host@<host>

Note: for SASL you will be prompted for a username and password.

% client -C -p 5556 -s host -m EAP-AES128 <host>
% server -c -p 5556 -s host -h <host>