802.1x, deault windows supplicant and kerberos
Hello, I wonder if it is possible to configure freeradius to authenticate default windows supplicants (offering PEAP only method) to authenticate users in wired network against kerberos. I have working configuration - freeradius can succesfully authenticate users against kerberos using DEFULT Auth-Type = Kerberos in users file: Found Auth-Type = Kerberos # Executing group from file /etc/raddb/sites-enabled/default +- entering group Kerberos {...} rlm_krb5: verify_krb_v5_tgt: host key not found : Key table entry not found ++[krb5] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop ++[reply] returns noop Sending Access-Accept of id 11 to 10.5.200.201 port 1645 Service-Type = NAS-Prompt-User Cisco-AVPair = "shell:priv-lvl=15" Finished request 0. Going to the next request Now I would like to protect ethernet network with 802.1x protocol. I am stuck, because I don't have User-Password inside of the PEAP tunnel (I know the reason why I don;t have that password there, no need to explain :)) which is needed for kerberos module. Is there any other method to get it working ? I've googled out some info about using ttls tunnel instead of peap, but I have no idea how to force windows supplicants to do so. Best regards -- Adrian
Adrian Czapek wrote:
Hello, I wonder if it is possible to configure freeradius to authenticate default windows supplicants (offering PEAP only method) to authenticate users in wired network against kerberos. I have working configuration - freeradius can succesfully authenticate users against kerberos using DEFULT Auth-Type = Kerberos in users file:
Kerberos is incompatible with PEAP. http://deployingradius.com/documents/protocols/compatibility.html
Now I would like to protect ethernet network with 802.1x protocol. I am stuck, because I don't have User-Password inside of the PEAP tunnel (I know the reason why I don;t have that password there, no need to explain :)) which is needed for kerberos module. Is there any other method to get it working ? I've googled out some info about using ttls tunnel instead of peap, but I have no idea how to force windows supplicants to do so.
Change the supplicant to use EAP-GTC. That might work. Otherwise, it's impossible. Alan DeKok.
2012/6/18 Alan DeKok <aland@deployingradius.com>
Change the supplicant to use EAP-GTC. That might work.
Otherwise, it's impossible.
Thanks, just found this: http://fuhry.us/blog/2012/01/01/mschapv2-against-mit-kerberos-yes-you-can/ but that requires to patch kerberos which probably I won't be allowed to do. Regards -- Adrian
On 18/06/12 10:06, Adrian Czapek wrote:
2012/6/18 Alan DeKok <aland@deployingradius.com <mailto:aland@deployingradius.com>>
Change the supplicant to use EAP-GTC. That might work.
Otherwise, it's impossible.
Thanks, just found this: http://fuhry.us/blog/2012/01/01/mschapv2-against-mit-kerberos-yes-you-can/ but that requires to patch kerberos which probably I won't be allowed to do.
Important note for the archive: this only works if you are using MIT Kerberos as your KDC, and can patch your KDC. It does NOT work for Active Directory.
participants (3)
-
Adrian Czapek -
Alan DeKok -
Phil Mayers