This optional parameter provides the path to a Kerberos keytab
file. When this option is present, a service ticket will be obtained as
part of each Kerberos authentication attempt to guard against Key
Distribution Center spoofing. By default, the keytab is examined to locate
the key for the service radius/server@realm where server is the fully
qualified domain name of the machine running Radiator and realm is the
Kerberos realm used during authentication. The name of the service may be
overridden with the KrbService parameter, the fully qualified domain name
with the KrbServer parameter and the realm with the KrbRealm
parameter.
# Enable KDC spoof detection using service ticket
KrbKeyTab /etc/krb5-radius.keytab