Freeradius & kerberos preauth
I ahve looked on the web and haven't found anything afirming that freeradius will support or not support preauth with kerberos v5. Is anyone using preauth with kerberos v5 and freeradius? If there is documentation on this please point me in the right direction. Thanks, -Roy -- /********************************************************************/ /* Roy Hockett * Telephone: (734) 763-7325 */ /* Network Engineer, * FAX: (734) 615-1727 */ /* ITCom, * Internet: royboy@umich.edu */ /* University of Michigan * */ /********************************************************************/
Alan, In kerberos v4 a client would request a Ticket Granting Ticket (TGT) from the Kerberos KDC, and the KDC would comply and send it. In kerberos v5 you can require what is referred to as preauth, and this means that the KDC doesn return a TGT until the client has authenticated. So I am asking if anyone have freeradius with the kerberos module working with a Kerberos KDC that requires preauthentication. Thanks, -Roy /********************************************************************/ /* Roy Hockett * Telephone: (734) 763-7325 */ /* Network Engineer, * FAX: (734) 615-1727 */ /* ITCom, * Internet: royboy@umich.edu */ /* University of Michigan * */ /********************************************************************/ On Fri, 1 Jul 2005, Alan DeKok wrote:
"Roy D. Hockett" <royboy@umich.edu> wrote:
I ahve looked on the web and haven't found anything afirming that freeradius will support or not support preauth with kerberos v5.
"preauth"?
There's an rlm_krb5 module, if that's what you're looking for.
Alan DekOk.
"Roy D. Hockett" <royboy@umich.edu> wrote:
In kerberos v5 you can require what is referred to as preauth, and this means that the KDC doesn return a TGT until the client has authenticated. So I am asking if anyone have freeradius with the kerberos module working with a Kerberos KDC that requires preauthentication.
Hmm... I'm not sure the interaction of RADIUS & Kerberos allows for that. So far as the FreeRADIUS server is concerned, kerberos is just another "database", that returns OK/Fail for user/password authentication. The user doesn't even know that FreeRADIUS is doing kerberos. I thnk the answer to your question is "No". The user isn't doing kerberos, so any "pre-auth" or TGT stuff just won't work. Alan DeKok.
Kerberos pre-auth works it (the KDC) requests an encrypted timestamp before sending credentials. If your radius server has a host/fqdn entry in /etc/krb5.keyatb it will just work. You probably want hardware pre-auth and I don't know about that one. You could ask kerberos@mit.edu On Fri, 2005-07-01 at 07:57, Roy D. Hockett wrote:
I ahve looked on the web and haven't found anything afirming that freeradius will support or not support preauth with kerberos v5. Is anyone using preauth with kerberos v5 and freeradius? If there is documentation on this please point me in the right direction.
Thanks, -Roy
Hello, Has anyone heard of or has a radius based solution that can block certain PSTN numbers from being terminated by a Cisco gateway. We have a 2650XM connected to E1-PSTN, there's a file of about 250,000 rogue pstn numbers we need to block from being terminated. I look forward to your reply. Regards, Abdul Hakeem
"Abdul Hakeem" <alhakeem@gmail.com> wrote:
Has anyone heard of or has a radius based solution that can block certain PSTN numbers from being terminated by a Cisco gateway.
Does the gateway send the numbers in a RADIUS packet?
We have a 2650XM connected to E1-PSTN, there's a file of about 250,000 rogue pstn numbers we need to block from being terminated.
I'd say put the numbers in a flat-text file, and use rlm_passwd to read the file, and to set 'Auth-Type = Reject' if the number is there. Alan DeKok.
participants (4)
-
Abdul Hakeem -
Alan DeKok -
Kenneth Grady -
Roy D. Hockett