WPA Enterprise, 802.1X, Freeradius, EAP & Kerberos
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Fri May 8 22:23:15 CEST 2009
On 8/5/09 21:11, Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>>> If you use SecureW2, you can configure Windows to do TTLS+PAP. That
>>> will supply a clear-text password in the inner tunnel, which will allow
>>> kerberos to work.
>> Really? I would have thought the exchange would be far more complex than
>> just PAP? Surely you can't bootstrap Kerberos like that.
>
> You can't. But you can use a KDC as an authentication oracle.
>
> RADIUS: Is this PAP password OK?
> KDC: yes/no.
Does it request a TGT and then see if it can decrypt it ?
> RADIUS: thanks...
Yes realised what you were doing :) I suppose it's usefulish...
>
>> Has anyone actually got EAP-Kerberos or some other equivalent scheme
>> working with windows ?
>
> Ugh. No.
Didn't think so. If only those Xsupplicant guys managed to get it
working on a platform *other* than XP. Maybe people would be more
inclined to contribute code to do these neat things *sigh*.
I'm going to file this under the *really really cool, but not for
another decade* section.
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
More information about the Freeradius-Users
mailing list