Proposed Freeradius - Kerberos authentication

Josh Howlett Josh.Howlett at ja.net
Tue Oct 23 16:57:48 CEST 2007


David,

> I've been reading the FAQs, the man pages, and going over 
> mailing list archives, and also the info at 
> deployingradius.com.  I thought I should start by checking 
> that I'm heading in the right direction before trying 
> building stuff.  I'm proposing that we use Freeradius to 
> authenticate the connections to the wireless APs using the 
> MIT Kerberos server.  If this is possible, would it be done 
> using EAP-TTLS from the clients, and the Auth-Type would need 
> to be defaulted to Kerberos so that the
> rlm_krb5 module would be used?  I'm basing this on the 
> Protocols page in conjunction with a thread from earlier in 
> October about EAP-TTLS and Kerberos.

You're heading in the right direction.

Note that if the synced passwords all exist in the AD, you can also
consider the use of EAP-PEAP; the principal advantage being the use of
the Windows native supplicant; this does not support EAP-TTLS without
the use of third-party tools.

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG




More information about the Freeradius-Users mailing list