WPA Enterprise, 802.1X, Freeradius, EAP & Kerberos

Scott Sears scott at myemma.com
Fri May 8 22:17:53 CEST 2009 

Alan,

Thank you so much for your time. I truly did read the thread - many  
times (that's why my config worked perfectly once I changed the  
setting on the supplicant) and it was and is clear that you are an  
expert on the subject.... that's why I posted to this list.

Those of us who are new to these concepts could not become useful  
members of the community without your help.  You've made my week, and  
I hope that I can be helpful to someone in this regard in the future.

Kindest regards,

Scott


On May 8, 2009, at 3:07 PM, Alan DeKok wrote:

> Scott Sears wrote:
>> Here is the thread which made me think it was possible, and led me to
>> this list.  Apparently I've made a mistake, but perhaps you can  
>> explain
>> the difference between my goal and the one described in the thread?
>
>  The difference is you are NOT using the EAP method recommended either
> in that thread, or in my previous response.
>
>  The debug log you posted showed MS-CHAP authentication.  That is
> impossible to use with Kerneros.
>
>>> PEAP supplies an MS-CHAP hash, not a clear-text password.
>>
>> I understand this.  I believed that I could set up an encryption  
>> tunnel
>> and then send the cleartext securely within tunnel to the KDC.
>
>  Yes... but you didn't do that.  The thread you pointed to, and my
> message, both told you the same thing: use TTLS+PAP.
>
>  You're not doing that.
>
>  You won't be able to use Kerberos until you follow the instructions
> posted here, and in the thread you claimed to have read.
>
>> All that being said, here is my last question:
>>
>> Is it *in any way* possible to securely authorize mobile supplicants
>> through a wireless AP to a Freeradius server using a KDC for
>> authentication?  Perhaps its doable, but I'm just not on the right  
>> track.
>
>  Perhaps you can try reading my messages?
>
>  I told you how it was possible: Download SecureW2, and use TTLS+PAP.
>
>  Rather than doing that, you've wasted your time, and mine, by asking
> "how do I do it".  I already told you.  Once in that thread, and again
> in my previous email message.
>
>  Follow the instructions in the thread, and in my previous email
> message.  I really can't emphasize that enough.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list