Table of Contents Table of contents: Radiator® AAA Server <AuthBy URL> 3.68 - <AuthBy URL> <AuthBy MULTICAST> 3.70 - <AuthBy MULTICAST>

3.69. <AuthBy KRB5>

This clause authenticates using the Kerberos 5 authentication system, which is available on most types of operating system. It authenticates from a previously defined Kerberos KDC (Key Distribution Centre). There is a sample configuration file in goodies/krb5.cfg in your distribution. AuthBy KRB5 can authenticate PAP and TTLS-PAP. Accounting are ACCEPTed but discarded.
Requires the Authen::Krb5 module version 1.3 or later. It is part of CPAN. For more information, see Section 2.1.2. CPAN.

3.69.1. KrbRealm

This optional parameter is the name of the Kerberos realm that all Kerberos users are assumed to be in. Defaults to the default Kerberos realm defined by your Kerberos administrator.
Kerberos principal names are constructed by appending @KrbRealm to the RADIUS user name (after any RADIUS realm has been stripped off. So if a user tries to authenticate as user@realm.com, and KrbRealm is set to mykrb.com, then the Kerberos principal name that will be authenticated will be 'user@mykerb.com'.
# All users are in this realm.
KrbRealm OPEN.COM.AU

3.69.2. KrbServerRealm

This optional parameter is the name of the Kerberos realm that the Kerberos server is assumed to be in. Defaults to the KrbRealm value.

3.69.3. KrbKeyTab

This optional parameter provides the path to a Kerberos keytab file. When this option is present, a service ticket will be obtained as part of each Kerberos authentication attempt to guard against Key Distribution Center spoofing. By default, the keytab is examined to locate the key for the service radius/server@realm where server is the fully qualified domain name of the machine running Radiator and realm is the Kerberos realm used during authentication. The name of the service may be overridden with the KrbService parameter, the fully qualified domain name with the KrbServer parameter and the realm with the KrbRealm parameter.
# Enable KDC spoof detection using service ticket
KrbKeyTab /etc/krb5-radius.keytab

3.69.4. KrbService

This optional parameter overrides the default value of "radius" for the service name used when locating a key to obtain a service ticket as part of Kerberos Key Distribution Center spoof detection. This parameter has no effect unless the KrbKeyTab parameter is defined. For more information, see Section 3.69.3. KrbKeyTab. This parameter should be set to the service name of the service key obtained from your Kerberos administrator.
# Service name for radius
KrbService radiusproxyauthentication

3.69.5. KrbServer

This optional parameter overrides the default value of the fully qualified domain name of the server running radiator when locating a key to obtain a service ticket as part of Kerberos Key Distribution Center spoof detection. This parameter has no effect unless the KrbKeyTab parameter is defined. For more information, see Section 3.69.3. KrbKeyTab. This parameter should be set to the hostname included in the service key obtained from your Kerberos administrator.
# Hostname of the server
KrbServer radius.example.com
Table of Contents Table of contents: Radiator® AAA Server <AuthBy URL> 3.68 - <AuthBy URL> <AuthBy MULTICAST> 3.70 - <AuthBy MULTICAST>