HOWTO WLAN Access Point authenticate user via kerberos
Phil Mayers
p.mayers at imperial.ac.uk
Thu Dec 10 15:18:00 CET 2009
John Mok wrote:
> Hi,
>
> I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that
> access point authenticates WLAN users via Kerberos (or GSSAPI /
> Kerberos) and grant access to the wired network upon successful
> authentication.
>
> Is FreeRADIUS the right tool to use? If so, I hope someone could point
> to the documentation how to set it up. Is there any requirement on the
> access point, e.g. support for 802.1X is sufficient?
>
Since there is no (deployed) EAP-GSS or EAP-Kerberos, this basically
means taking the usernames plaintext password and doing a "kinit" with it.
This means you will need to do EAP-TTLS/PAP, which requires installing
software on Windows clients, because windows doesn't support TTLS.
The common choice for windows clients ie EAP-PEAP/MSCHAPv2, with the
MSCHAP checked against Active Directory using Samba in domain-member
mode and the ntlm_auth helper.
But yes - once you've got EAP-TTLS/PAP working, you can check the PAP
request against Kerberos.
For more info, see here:
http://deployingradius.com/documents/protocols/compatibility.html
More information about the Freeradius-Users
mailing list