Freeradius authentification against Kerberos
ywang10 at fsu.edu
Fri Aug 1 16:48:23 CEST 2014
From: freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org] On Behalf Of Arran Cudbard-Bell
Sent: Thursday, July 24, 2014 10:41 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius authentification against Kerberos
On Jul 23, 2014, at 3:47 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Wang, Yu wrote:
>> You can use third party plugins but I strongly discourage you to use
>> EAP-TTLS with Kerberos/PAP because it has security holes.
> Not really.
>> We use
>> FreeRadius and NTLM.
> It's 2014. MS-CHAP is only slightly harder to crack than PAP.
>> In searching more efficient method than NTLM, I looked into EAP-TTLS
>> with Kerberos but a brother university network engineer showed me how
>> a hacker could steal user passwords easily with EAP-TTLS/Kerberos. I
>> completely abandoned the idea of using it.
> Please enlighten me.
>Just to clarify for those reading the mailing list archives. The OP doesn't really understanding what he's talking about.
>TTLS-PAP is secure in itself. He is referring to MITMA executed by a rogue AP.
Yes, I was referring to MITM with a rogue AP broadcasting campus SSID and harvest username and password sent in clear.
>As Alan the Alans state, MS-CHAP (PEAP/TTLS-MSCHAPv2) is only slightly harder to crack with a similar attack.
It is slightly better than cleartext password. The hacker has to crack it vs just uses it right away.
>A modified version of FreeRADIUS was released to enable exactly those sorts of attacks a few years ago.
>Don't stop using TTLS-PAP, it's fine.
MITMA is a reality, especially in academic environment. Do you have other safer options? EAP-TLS is very safe but can be costly.
More information about the Freeradius-Users