HOWTO WLAN Access Point authenticate user via kerberos
John Mok
jmok at attglobal.net
Fri Dec 11 18:14:17 CET 2009
Hi Phil,
Thank you for your prompt reply.
I googled about the subject and found the following message :-
http://lists.cistron.nl/pipermail/freeradius-devel/2006-January/009250.html
Can any one tell me about what the module rlm_krb5 does? Does the module
proxy the kerberos authentication to the KDC on behalf of the WLAN
users, and grant access to the wired network upon successful authentication?
WLAN client ---EAP--- Access Point ---kerberos--- KDC
Thanks a lot.
John Mok
Phil Mayers wrote:
> John Mok wrote:
>> Hi,
>>
>> I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that
>> access point authenticates WLAN users via Kerberos (or GSSAPI /
>> Kerberos) and grant access to the wired network upon successful
>> authentication.
>>
>> Is FreeRADIUS the right tool to use? If so, I hope someone could point
>> to the documentation how to set it up. Is there any requirement on the
>> access point, e.g. support for 802.1X is sufficient?
>>
>
> Since there is no (deployed) EAP-GSS or EAP-Kerberos, this basically
> means taking the usernames plaintext password and doing a "kinit" with it.
>
> This means you will need to do EAP-TTLS/PAP, which requires installing
> software on Windows clients, because windows doesn't support TTLS.
>
> The common choice for windows clients ie EAP-PEAP/MSCHAPv2, with the
> MSCHAP checked against Active Directory using Samba in domain-member
> mode and the ntlm_auth helper.
>
> But yes - once you've got EAP-TTLS/PAP working, you can check the PAP
> request against Kerberos.
>
> For more info, see here:
>
> http://deployingradius.com/documents/protocols/compatibility.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list