WPA Enterprise, 802.1X, Freeradius, EAP & Kerberos

Alan DeKok aland at deployingradius.com
Fri May 8 22:11:23 CEST 2009

Arran Cudbard-Bell wrote:
>>    If you use SecureW2, you can configure Windows to do TTLS+PAP.  That
>> will supply a clear-text password in the inner tunnel, which will allow
>> kerberos to work.
> Really? I would have thought the exchange would be far more complex than
> just PAP? Surely you can't bootstrap Kerberos like that.

  You can't.  But you can use a KDC as an authentication oracle.

RADIUS: Is this PAP password OK?
KDC: yes/no.
RADIUS: thanks...

> Has anyone actually got EAP-Kerberos or some other equivalent scheme
> working with windows ?

  Ugh.  No.

  Alan DeKok.

More information about the Freeradius-Users mailing list