WPA Enterprise, 802.1X, Freeradius, EAP & Kerberos

Scott Sears scott at myemma.com
Fri May 8 21:38:12 CEST 2009


Alan,

Thank you for your quick and kind response.

On May 8, 2009, at 2:00 PM, Alan DeKok wrote:

> Scott Sears wrote:
>> I cannot get all the pieces working together.
>> Laptop->AP->Freeradius->Kerberos.
>
>  It's impossible.

Here is the thread which made me think it was possible, and led me to  
this list.  Apparently I've made a mistake, but perhaps you can  
explain the difference between my goal and the one described in the  
thread?

http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg39522.html

On May 8, 2009, at 2:00 PM, Alan DeKok wrote:

>  Kerberos requires a clear-text password to authenticate (or various
> Kerberos crypto tokens derived from the password).
>
>  PEAP supplies an MS-CHAP hash, not a clear-text password.

I understand this.  I believed that I could set up an encryption  
tunnel and then send the cleartext securely within tunnel to the KDC.

All that being said, here is my last question:

Is it *in any way* possible to securely authorize mobile supplicants  
through a wireless AP to a Freeradius server using a KDC for  
authentication?  Perhaps its doable, but I'm just not on the right  
track.

Thanks again for your time.

Scott Sears




More information about the Freeradius-Users mailing list