HOWTO WLAN Access Point authenticate user via kerberos
Hi, I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that access point authenticates WLAN users via Kerberos (or GSSAPI / Kerberos) and grant access to the wired network upon successful authentication. Is FreeRADIUS the right tool to use? If so, I hope someone could point to the documentation how to set it up. Is there any requirement on the access point, e.g. support for 802.1X is sufficient? Thanks a lot. John Mok
John Mok wrote:
Hi,
I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that access point authenticates WLAN users via Kerberos (or GSSAPI / Kerberos) and grant access to the wired network upon successful authentication.
Is FreeRADIUS the right tool to use? If so, I hope someone could point to the documentation how to set it up. Is there any requirement on the access point, e.g. support for 802.1X is sufficient?
Since there is no (deployed) EAP-GSS or EAP-Kerberos, this basically means taking the usernames plaintext password and doing a "kinit" with it. This means you will need to do EAP-TTLS/PAP, which requires installing software on Windows clients, because windows doesn't support TTLS. The common choice for windows clients ie EAP-PEAP/MSCHAPv2, with the MSCHAP checked against Active Directory using Samba in domain-member mode and the ntlm_auth helper. But yes - once you've got EAP-TTLS/PAP working, you can check the PAP request against Kerberos. For more info, see here: http://deployingradius.com/documents/protocols/compatibility.html
Hi Phil, Thank you for your prompt reply. I googled about the subject and found the following message :- http://lists.cistron.nl/pipermail/freeradius-devel/2006-January/009250.html Can any one tell me about what the module rlm_krb5 does? Does the module proxy the kerberos authentication to the KDC on behalf of the WLAN users, and grant access to the wired network upon successful authentication? WLAN client ---EAP--- Access Point ---kerberos--- KDC Thanks a lot. John Mok Phil Mayers wrote:
John Mok wrote:
Hi,
I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that access point authenticates WLAN users via Kerberos (or GSSAPI / Kerberos) and grant access to the wired network upon successful authentication.
Is FreeRADIUS the right tool to use? If so, I hope someone could point to the documentation how to set it up. Is there any requirement on the access point, e.g. support for 802.1X is sufficient?
Since there is no (deployed) EAP-GSS or EAP-Kerberos, this basically means taking the usernames plaintext password and doing a "kinit" with it.
This means you will need to do EAP-TTLS/PAP, which requires installing software on Windows clients, because windows doesn't support TTLS.
The common choice for windows clients ie EAP-PEAP/MSCHAPv2, with the MSCHAP checked against Active Directory using Samba in domain-member mode and the ntlm_auth helper.
But yes - once you've got EAP-TTLS/PAP working, you can check the PAP request against Kerberos.
For more info, see here:
http://deployingradius.com/documents/protocols/compatibility.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 12/11/2009 12:14 PM, John Mok wrote:
Hi Phil,
Thank you for your prompt reply.
I googled about the subject and found the following message :-
http://lists.cistron.nl/pipermail/freeradius-devel/2006-January/009250.html
Can any one tell me about what the module rlm_krb5 does? Does the module proxy the kerberos authentication to the KDC on behalf of the WLAN users, and grant access to the wired network upon successful authentication?
Yes, it is functionally equivalent to taking the password supplied in the radius access request message and invoking kinit with it and testing to see if it succeeds. Please note, I said "functionally equivalent" it does not invoke kinit rather it uses the krb5 libraries to try and obtain a TGT on behalf of of the user, it also validates the KDC. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (3)
-
John Dennis -
John Mok -
Phil Mayers