Freeradius authentification against Kerberos
Wang, Yu
ywang10 at fsu.edu
Wed Jul 23 21:40:25 CEST 2014
You can use third party plugins but I strongly discourage you to use EAP-TTLS with Kerberos/PAP because it has security holes. We use FreeRadius and NTLM. In searching more efficient method than NTLM, I looked into EAP-TTLS with Kerberos but a brother university network engineer showed me how a hacker could steal user passwords easily with EAP-TTLS/Kerberos. I completely abandoned the idea of using it.
For your environment, PEAP MSCHAPv2 will work.
Yu Wang
____________________________
Network Architect
Information Technology Services
The Florida State University
850-645-6810
yu.wang at fsu.edu
From: freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org] On Behalf Of Benjamin Stahl (TH-Wildau.de)
Sent: Wednesday, July 23, 2014 11:54 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius authentification against Kerberos
Hey thanks for your fast answer.
As a Windows 7 client, i can only authentificate PEAP - MSCHAPv2, right?
I looked at the network settings, i did not find EAP-TTLS. Is it right?
Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS.
Am 23.07.2014 um 17:10 schrieb Wang, Yu <ywang10 at fsu.edu<mailto:ywang10 at fsu.edu>>:
From: freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org<mailto:freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org> [mailto:freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org] On Behalf Of Benjamin Stahl
Sent: Wednesday, July 23, 2014 9:55 AM
To: Freeradius Mailing-List
Subject: Freeradius authentification against Kerberos
Hi,
I'm a newbie with Freeserver. It is my first time with it. I try to make a configuration against Kerberos with your freeradius-server on centOS 6.5.
I use FreeRadius 2.1.12
Please use 2.2.5 if you can.
But now I got everytime the error: "no authenticate method (Auth-Type) found for the request". So every user got a reject.
I setup the server like explained at this tutorial from eduroam.us<http://eduroam.us/>: https://www.eduroam.us/node/45
Under authenticate {}, make sure you have following lines:
Auth-Type PAP {
pap
}
Auth-Type Kerberos {
krb5
}
My problem is also that a PEAP - MSCHAPv2 auth from a Windows 7 - PC does not work.
Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS.
Can anyone help me, please?
I attached the logs.
Thanks, and best Benjamin.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140723/f7f9ff60/attachment-0001.html>
More information about the Freeradius-Users
mailing list