Freeradius authentification against Kerberos

Wang, Yu ywang10 at fsu.edu
Wed Jul 23 21:40:25 CEST 2014


You can use third party plugins but I strongly discourage you to use EAP-TTLS with Kerberos/PAP because it has security holes. We use FreeRadius and NTLM. In searching more efficient method than NTLM, I looked into EAP-TTLS with Kerberos but a brother university network engineer showed me how a hacker could steal user passwords easily with EAP-TTLS/Kerberos. I completely abandoned the idea of using it.

For your environment, PEAP MSCHAPv2 will work.

Yu Wang
____________________________
Network Architect
Information Technology Services
The Florida State University
850-645-6810
yu.wang at fsu.edu

From: freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org] On Behalf Of Benjamin Stahl (TH-Wildau.de)
Sent: Wednesday, July 23, 2014 11:54 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius authentification against Kerberos

Hey thanks for your fast answer.

As a Windows 7 client, i can only authentificate PEAP - MSCHAPv2, right?
I looked at the network settings, i did not find EAP-TTLS. Is it right?


Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS.


Am 23.07.2014 um 17:10 schrieb Wang, Yu <ywang10 at fsu.edu<mailto:ywang10 at fsu.edu>>:



From: freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org<mailto:freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org> [mailto:freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org] On Behalf Of Benjamin Stahl
Sent: Wednesday, July 23, 2014 9:55 AM
To: Freeradius Mailing-List
Subject: Freeradius authentification against Kerberos

Hi,

I'm a newbie with Freeserver. It is my first time with it. I try to make a configuration against Kerberos with your freeradius-server on centOS 6.5.
I use FreeRadius 2.1.12


Please use 2.2.5 if you can.

But now I got everytime the error: "no authenticate method (Auth-Type) found for the request". So every user got a reject.
I setup the server like explained at this tutorial from eduroam.us<http://eduroam.us/>: https://www.eduroam.us/node/45

Under authenticate {}, make sure you have following lines:

        Auth-Type PAP {
                pap
        }
        Auth-Type Kerberos {
                krb5
        }


My problem is also that a PEAP - MSCHAPv2 auth from a Windows 7 - PC does not work.

Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS.


Can anyone help me, please?

I attached the logs.

Thanks, and best Benjamin.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140723/f7f9ff60/attachment-0001.html>


More information about the Freeradius-Users mailing list