Freeradius authentification against Kerberos

Alan DeKok aland at
Wed Jul 23 21:47:34 CEST 2014

Wang, Yu wrote:
> You can use third party plugins but I strongly discourage you to use
> EAP-TTLS with Kerberos/PAP because it has security holes.

  Not really.

> We use
> FreeRadius and NTLM.

  It's 2014.  MS-CHAP is only slightly harder to crack than PAP.

> In searching more efficient method than NTLM, I
> looked into EAP-TTLS with Kerberos but a brother university network
> engineer showed me how a hacker could steal user passwords easily with
> EAP-TTLS/Kerberos. I completely abandoned the idea of using it.

  Please enlighten me.

  Alan DeKok.

More information about the Freeradius-Users mailing list