1 files changed, 14 insertions, 9 deletions

diff --git a/ipa-server/ipa-install/share/radius.radiusd.conf.template b/ipa-server/ipa-install/share/radius.radiusd.conf.template
index d03105485..3bc4927dd 100644
--- a/ipa-server/ipa-install/share/radius.radiusd.conf.template
+++ b/ipa-server/ipa-install/share/radius.radiusd.conf.template
@@ -57,9 +57,6 @@ thread pool {
 	max_requests_per_server = 0
 }
 modules {
-	pap {
-		auto_header = yes
-	}
 	chap {
 		authtype = CHAP
 	}
@@ -85,13 +82,19 @@ $$INCLUDE $${confdir}/eap.conf
 		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 		base_filter = "(objectclass=radiusprofile)"
 		start_tls = no
-		access_attr = "$ACCESS_ATTRIBUTE"
+		profile_attribute = "radiusProfileDn"
+		default_profile = "uid=ipa_default,cn=profiles,cn=radius,cn=services,cn=etc,$SUFFIX
+		# FIXME: we'll want to toggle the access_attr feature on/off,
+		# but it needs a control, so disable it for now.
+		#access_attr = "$ACCESS_ATTRIBUTE"
+		#access_attr_used_for_allow = "$ACCESS_ATTRIBUTE_DEFAULT"
 		dictionary_mapping = $${raddbdir}/ldap.attrmap
 		ldap_connections_number = 5
 		edir_account_policy_check=no
 		timeout = 4
 		timelimit = 3
 		net_timeout = 1
+		clients_basedn = "$CLIENTS_BASEDN"
 	}
 	realm IPASS {
 		format = prefix
@@ -229,6 +232,10 @@ $$INCLUDE $${confdir}/eap.conf
 		override = no
 		maximum-timeout = 0
 	}
+	krb5 {
+		keytab = "$RADIUS_KEYTAB"
+		service_principal = "$RADIUS_PRINCIPAL"
+	}
 }
 instantiate {
 	exec
@@ -242,20 +249,18 @@ authorize {
 	eap
 	#files
 	ldap
-	pap
 }
 authenticate {
-	Auth-Type PAP {
-		pap
-	}
 	Auth-Type CHAP {
 		chap
 	}
 	Auth-Type MS-CHAP {
 		mschap
 	}
-	unix
 	eap
+	Auth-Type Kerberos {
+		krb5
+	}
 }
 preacct {
 	preprocess