WPA Enterprise, 802.1X, Freeradius, EAP & Kerberos
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Fri May 8 21:24:45 CEST 2009
On 8/5/09 20:00, Alan DeKok wrote:
> Scott Sears wrote:
>> I cannot get all the pieces working together.
>> Laptop->AP->Freeradius->Kerberos.
>
> It's impossible.
>
> Kerberos requires a clear-text password to authenticate (or various
> Kerberos crypto tokens derived from the password).
>
> PEAP supplies an MS-CHAP hash, not a clear-text password.
>
> So the two are *incompatible*.
>
> If you use SecureW2, you can configure Windows to do TTLS+PAP. That
> will supply a clear-text password in the inner tunnel, which will allow
> kerberos to work.
>
Really? I would have thought the exchange would be far more complex than
just PAP? Surely you can't bootstrap Kerberos like that.
>> I can see this problem has been posted to the list many times,
>
> Kerberos + EAP? I don't recall seeing that very often.
>
It's not supported by any Windows supplicants i've come across.
> Windows + EAP questions happen a lot...
>
Has anyone actually got EAP-Kerberos or some other equivalent scheme
working with windows ?
Arran
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
More information about the Freeradius-Users
mailing list