David Pullman wrote:
I've been reading the FAQs, the man pages, and going over mailing list archives, and also the info at deployingradius.com. I thought I should start by checking that I'm heading in the right direction before trying building stuff. I'm proposing that we use Freeradius to authenticate the connections to the wireless APs using the MIT Kerberos server. If this is possible, would it be done using EAP-TTLS from the clients,
Yes.
and the Auth-Type would need to be defaulted to Kerberos so that the rlm_krb5 module would be used? I'm basing this on the Protocols page in conjunction with a thread from earlier in October about EAP-TTLS and Kerberos.
Pretty much. If you follow the instructions in the previous thread, you can set: DEFAULT FreeRADIUS-Proxied-To := 127.0.0.1, Auth-Type = Kerberos Put that at the top of the "users" file, and EAP-TTLS with tunneled PAP should work. This also means having EAP-TTLS software on the clients (SecureW2 for Windows), and configuring them with PAP as the inner tunnel authentication method. Alan DeKok.