WPA Enterprise, 802.1X, Freeradius, EAP & Kerberos

Alan DeKok aland at deployingradius.com
Fri May 8 22:07:36 CEST 2009

Scott Sears wrote:
> Here is the thread which made me think it was possible, and led me to
> this list.  Apparently I've made a mistake, but perhaps you can explain
> the difference between my goal and the one described in the thread?

  The difference is you are NOT using the EAP method recommended either
in that thread, or in my previous response.

  The debug log you posted showed MS-CHAP authentication.  That is
impossible to use with Kerneros.

>>  PEAP supplies an MS-CHAP hash, not a clear-text password.
> I understand this.  I believed that I could set up an encryption tunnel
> and then send the cleartext securely within tunnel to the KDC.

  Yes... but you didn't do that.  The thread you pointed to, and my
message, both told you the same thing: use TTLS+PAP.

  You're not doing that.

  You won't be able to use Kerberos until you follow the instructions
posted here, and in the thread you claimed to have read.

> All that being said, here is my last question:
> Is it *in any way* possible to securely authorize mobile supplicants
> through a wireless AP to a Freeradius server using a KDC for
> authentication?  Perhaps its doable, but I'm just not on the right track.

  Perhaps you can try reading my messages?

  I told you how it was possible: Download SecureW2, and use TTLS+PAP.

  Rather than doing that, you've wasted your time, and mine, by asking
"how do I do it".  I already told you.  Once in that thread, and again
in my previous email message.

  Follow the instructions in the thread, and in my previous email
message.  I really can't emphasize that enough.

  Alan DeKok.

More information about the Freeradius-Users mailing list