On 8/5/09 21:11, Alan DeKok wrote:
Arran Cudbard-Bell wrote:
If you use SecureW2, you can configure Windows to do TTLS+PAP. That will supply a clear-text password in the inner tunnel, which will allow kerberos to work.
Really? I would have thought the exchange would be far more complex than just PAP? Surely you can't bootstrap Kerberos like that.
You can't. But you can use a KDC as an authentication oracle.
RADIUS: Is this PAP password OK? KDC: yes/no.
Does it request a TGT and then see if it can decrypt it ?
RADIUS: thanks...
Yes realised what you were doing :) I suppose it's usefulish...
Has anyone actually got EAP-Kerberos or some other equivalent scheme working with windows ?
Ugh. No.
Didn't think so. If only those Xsupplicant guys managed to get it working on a platform *other* than XP. Maybe people would be more inclined to contribute code to do these neat things *sigh*. I'm going to file this under the *really really cool, but not for another decade* section. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2