Proposed Freeradius - Kerberos authentication

David Pullman dpullman at nist.gov
Tue Oct 23 16:47:16 CEST 2007


We have a new requirement to provide wireless access to our network with
an authenticated connection.  The wireless access/connection is
controlled by a Cisco 4402 controller.  The clients that will connect
are Windows XP, Mac OSX, and Linux OS laptops.

We have all of the systems on the wired network currently logging in to
either to a Windows AD domain (XP) or to a MIT Kerberos realm (Linux and
OSX).  The user password is synchronized on these two authentication
sources.

I've been reading the FAQs, the man pages, and going over mailing list
archives, and also the info at deployingradius.com.  I thought I should
start by checking that I'm heading in the right direction before trying
building stuff.  I'm proposing that we use Freeradius to authenticate
the connections to the wireless APs using the MIT Kerberos server.  If
this is possible, would it be done using EAP-TTLS from the clients, and
the Auth-Type would need to be defaulted to Kerberos so that the
rlm_krb5 module would be used?  I'm basing this on the Protocols page in
conjunction with a thread from earlier in October about EAP-TTLS and
Kerberos.

Thanks very much.

--David Pullman




More information about the Freeradius-Users mailing list