Proposed Freeradius - Kerberos authentication
Alan DeKok
aland at deployingradius.com
Tue Oct 23 16:59:52 CEST 2007
David Pullman wrote:
> I've been reading the FAQs, the man pages, and going over mailing list
> archives, and also the info at deployingradius.com. I thought I should
> start by checking that I'm heading in the right direction before trying
> building stuff. I'm proposing that we use Freeradius to authenticate
> the connections to the wireless APs using the MIT Kerberos server. If
> this is possible, would it be done using EAP-TTLS from the clients,
Yes.
> and
> the Auth-Type would need to be defaulted to Kerberos so that the
> rlm_krb5 module would be used? I'm basing this on the Protocols page in
> conjunction with a thread from earlier in October about EAP-TTLS and
> Kerberos.
Pretty much. If you follow the instructions in the previous thread,
you can set:
DEFAULT FreeRADIUS-Proxied-To := 127.0.0.1, Auth-Type = Kerberos
Put that at the top of the "users" file, and EAP-TTLS with tunneled
PAP should work.
This also means having EAP-TTLS software on the clients (SecureW2 for
Windows), and configuring them with PAP as the inner tunnel
authentication method.
Alan DeKok.
More information about the Freeradius-Users
mailing list