Overview ======== This is an implementation of the GSS EAP mechanism, as described in draft-ietf-abfab-gss-eap-00.txt. Building ======== In order to build this, a recent Kerberos implementation (MIT or Heimdal), Shibboleth, and EAP libraries are required, along with all of their dependencies. Note: not all SPIs are supported by the Heimdal mechanism glue, so not all features will be available. Installing ========== When installing, be sure to edit $prefix/etc/gss/mech to register the EAP mechanisms. A sample configuration file is in this directory. Make sure your RADIUS library is configured to talk to the server of your choice: see the example radsec.conf in this directory. On the RADIUS server side, you need to install dictionary.ukerna and include it from the main dictionary file. If you want the acceptor be able to identify the user, the RADIUS server needs to echo back the EAP username from the inner tunnel; for privacy, mech_eap only sends the realm in the EAP Identity response. To configure this with FreeRADIUS, add: update outer.reply { User-Name = "%{request:User-Name}" } to /etc/raddb/sites-enabled/inner-tunnel, and make sure that virtual_server = "inner-tunnel" is set in eap.conf for the EAP types being used. To test the SAML assertion code path, you can place a fixed SAML assertion in the update reply block of the default configuration. update reply { SAML-AAA-Assertion = ', and appropriately ( is the name of the host running the server, not the RADIUS server). % gss-client -port 5555 -spnego -mech "{1 3 6 1 4 1 5322 22 1 18}" \ -user -pass host@ "Testing GSS EAP" % gss-server -port 5555 -export host@ Note: for SASL you will be prompted for a username and password. % client -C -p 5556 -s host -m EAP-AES128 % server -c -p 5556 -s host -h