Freeradius authentification against Kerberos

Arran Cudbard-Bell a.cudbardb at
Thu Jul 24 16:41:04 CEST 2014

On Jul 23, 2014, at 3:47 PM, Alan DeKok <aland at> wrote:

> Wang, Yu wrote:
>> You can use third party plugins but I strongly discourage you to use
>> EAP-TTLS with Kerberos/PAP because it has security holes.
>  Not really.
>> We use
>> FreeRadius and NTLM.
>  It's 2014.  MS-CHAP is only slightly harder to crack than PAP.
>> In searching more efficient method than NTLM, I
>> looked into EAP-TTLS with Kerberos but a brother university network
>> engineer showed me how a hacker could steal user passwords easily with
>> EAP-TTLS/Kerberos. I completely abandoned the idea of using it.
>  Please enlighten me.

Just to clarify for those reading the mailing list archives. The OP doesn’t really
understanding what he’s talking about.

TTLS-PAP is secure in itself. He is referring to MITMA executed by a rogue AP.

As Alan the Alans state, MS-CHAP (PEAP/TTLS-MSCHAPv2) is only slightly 
harder to crack with a similar attack.

A modified version of FreeRADIUS was released to enable exactly those sorts
of attacks a few years ago.

Don’t stop using TTLS-PAP, it’s fine.


More information about the Freeradius-Users mailing list