Freeradius authentification against Kerberos

Wang, Yu ywang10 at
Fri Aug 1 16:48:23 CEST 2014

-----Original Message-----
From: at [ at] On Behalf Of Arran Cudbard-Bell
Sent: Thursday, July 24, 2014 10:41 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius authentification against Kerberos

On Jul 23, 2014, at 3:47 PM, Alan DeKok <aland at> wrote:

> Wang, Yu wrote:
>> You can use third party plugins but I strongly discourage you to use 
>> EAP-TTLS with Kerberos/PAP because it has security holes.
>  Not really.
>> We use
>> FreeRadius and NTLM.
>  It's 2014.  MS-CHAP is only slightly harder to crack than PAP.
>> In searching more efficient method than NTLM, I looked into EAP-TTLS 
>> with Kerberos but a brother university network engineer showed me how 
>> a hacker could steal user passwords easily with EAP-TTLS/Kerberos. I 
>> completely abandoned the idea of using it.
>  Please enlighten me.

>Just to clarify for those reading the mailing list archives. The OP doesn't really understanding what he's talking about.
>TTLS-PAP is secure in itself. He is referring to MITMA executed by a rogue AP.

Yes, I was referring to MITM with a rogue AP broadcasting campus SSID and harvest username and password sent in clear. 

>As Alan the Alans state, MS-CHAP (PEAP/TTLS-MSCHAPv2) is only slightly harder to crack with a similar attack.

It is slightly better than cleartext password. The hacker has to crack it vs just uses it right away.

>A modified version of FreeRADIUS was released to enable exactly those sorts of attacks a few years ago.
>Don't stop using TTLS-PAP, it's fine.
MITMA is a reality, especially in academic environment. Do you have other safer options? EAP-TLS is very safe but can be costly. 


More information about the Freeradius-Users mailing list