Freeradius authentification against Kerberos
a.cudbardb at freeradius.org
Thu Jul 24 16:41:04 CEST 2014
On Jul 23, 2014, at 3:47 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Wang, Yu wrote:
>> You can use third party plugins but I strongly discourage you to use
>> EAP-TTLS with Kerberos/PAP because it has security holes.
> Not really.
>> We use
>> FreeRadius and NTLM.
> It's 2014. MS-CHAP is only slightly harder to crack than PAP.
>> In searching more efficient method than NTLM, I
>> looked into EAP-TTLS with Kerberos but a brother university network
>> engineer showed me how a hacker could steal user passwords easily with
>> EAP-TTLS/Kerberos. I completely abandoned the idea of using it.
> Please enlighten me.
Just to clarify for those reading the mailing list archives. The OP doesn’t really
understanding what he’s talking about.
TTLS-PAP is secure in itself. He is referring to MITMA executed by a rogue AP.
As Alan the Alans state, MS-CHAP (PEAP/TTLS-MSCHAPv2) is only slightly
harder to crack with a similar attack.
A modified version of FreeRADIUS was released to enable exactly those sorts
of attacks a few years ago.
Don’t stop using TTLS-PAP, it’s fine.
More information about the Freeradius-Users