Re: Authentication with Kerberos

To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
Subject: Re: Authentication with Kerberos
From: "thomas hahusseau" <thomas.hahusseau@gmail.com>
Date: Thu, 15 Jun 2006 14:15:58 +0200
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=OQngczXuyC7h46I71RcGiIbS0riO75Pu1wimVHaVarsN/Qknq8U/oV2HdWjUD2ptwEJ4MHRQlaSEMxe1eBd/xya5WLGXXfGl7fEzV4so6ztE7UEtlo4zTw8wTc1huGzwFZTG/wTk8KHsGFd5PdNkgSaDYFJFO6mLMECJ/mcfqtE=
In-reply-to: <44913B5C.9070208@bristol.ac.uk>
References: <29758d3a0606150232r7052130bk92676dcebddf1b28@mail.gmail.com> <44913B5C.9070208@bristol.ac.uk>
Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>

the problem is that my wifi card (Cisco Aironet) doesn't support the TTLS i'll try to find one which support it .

About TTLS is it that kind of EAP authentification with :
Step 1 : TLS handshake , 1 certificat on radius server and 1 certificate on supplicant ?
Step 2 : Kerberos or any other kind of authentication inside the TLS tunnel ?

in fact I plan to use the PEAP authentication like that :
Step 1 : building a TLS tunnel (Certificate on Radius server only)
Step 2 : Supplicant sent login + hashed password
Step 3 : freeradius ask Active Directory for a kerberos ticket/token
Step 4 :freeradius send its token to the AD and ask for performing a search in ldap directory
Step 5 : check in the token if freeradius is allowed to search inside LDAP
Step 6 : comparason of hashed password.

According to me that solution would remplace the ntlm auth , and it's not the supplicant which use kerberos but freeradius, to perform a secure authentication with LDAP database.

could you give informations or telling me if I'm right ?

thank you
thomas

2006/6/15, Josh Howlett <josh.howlett@bristol.ac.uk>:

thomas hahusseau wrote:
> Hello,
>
> I would like to set up that kind of configuration :
>
> EAP-PEAP(Mschapv2) Request ---> AP ---> Freeradius ----> Kerberos
> authentication to an Active Directory

This isn't possible - EAP-PEAP requires access to the plaintext password
or NTLM hash.

You should be able to do this with EAP-TTLS, however.

best regards, josh.

> In fact i would like to use Kerberos (wich is supported by Active
> Directory) instead of ntlm_auth, in freeradius features list avalaible
> onf the official website I have found :
>
>     * authentication to a Windows Domain Controller (via ntlm_auth and
>       winbindd)
>
>     * Kerberos authentication
>
> Anyone can confirm this possibility to use Kerberos auth with freeradius
> and maybe any how-to or advices ?
>
> thank you
> Thomas Hahusseau
>
>
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

References:
- Authentication with Kerberos
  - From: "thomas hahusseau" <thomas.hahusseau@gmail.com>
- Re: Authentication with Kerberos
  - From: Josh Howlett <josh.howlett@bristol.ac.uk>

Previous by Date: Re: \000 in "octets" attribute?
Next by Date: Re: \000 in "octets" attribute?
Previous by Thread: Re: Authentication with Kerberos
Next by Thread: Authentification link with PEAP + PAM + LDAP
Freeradius-Users June 2006 archives indexes sorted by: [ thread ] [ subject ] [ author ] [ date ]
Freeradius-Users list archive Table of Contents
More information about the Freeradius-Users mailing list

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.