Proposed Freeradius - Kerberos authentication

Alan DeKok aland at
Tue Oct 23 16:59:52 CEST 2007

David Pullman wrote:
> I've been reading the FAQs, the man pages, and going over mailing list
> archives, and also the info at  I thought I should
> start by checking that I'm heading in the right direction before trying
> building stuff.  I'm proposing that we use Freeradius to authenticate
> the connections to the wireless APs using the MIT Kerberos server.  If
> this is possible, would it be done using EAP-TTLS from the clients,


> and
> the Auth-Type would need to be defaulted to Kerberos so that the
> rlm_krb5 module would be used?  I'm basing this on the Protocols page in
> conjunction with a thread from earlier in October about EAP-TTLS and
> Kerberos.

  Pretty much.  If you follow the instructions in the previous thread,
you can set:

DEFAULT FreeRADIUS-Proxied-To :=, Auth-Type = Kerberos

  Put that at the top of the "users" file, and EAP-TTLS with tunneled
PAP should work.

  This also means having EAP-TTLS software on the clients (SecureW2 for
Windows), and configuring them with PAP as the inner tunnel
authentication method.

  Alan DeKok.

More information about the Freeradius-Users mailing list