HOWTO WLAN Access Point authenticate user via kerberos

Phil Mayers p.mayers at imperial.ac.uk
Thu Dec 10 15:18:00 CET 2009


John Mok wrote:
> Hi,
> 
> I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that 
> access point authenticates WLAN users via Kerberos (or GSSAPI / 
> Kerberos) and grant access to the wired network upon successful 
> authentication.
> 
> Is FreeRADIUS the right tool to use? If so, I hope someone could point 
> to the documentation how to set it up. Is there any requirement on the 
> access point, e.g. support for 802.1X is sufficient?
> 

Since there is no (deployed) EAP-GSS or EAP-Kerberos, this basically 
means taking the usernames plaintext password and doing a "kinit" with it.

This means you will need to do EAP-TTLS/PAP, which requires installing 
software on Windows clients, because windows doesn't support TTLS.

The common choice for windows clients ie EAP-PEAP/MSCHAPv2, with the 
MSCHAP checked against Active Directory using Samba in domain-member 
mode and the ntlm_auth helper.

But yes - once you've got EAP-TTLS/PAP working, you can check the PAP 
request against Kerberos.

For more info, see here:

http://deployingradius.com/documents/protocols/compatibility.html



More information about the Freeradius-Users mailing list