[36620] in Kerberos
Re: PPTP / L2TP with Kerberos -- what specs does it follow?
daemon@ATHENA.MIT.EDU (Rick van Rein)
Thu Nov 27 06:48:30 2014
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <CAAyYNQg3myLYqowkf4Mf98-daPt3nvL3BEtcL1ggmZzUPy2NNQ@mail.gmail.com>
Date: Thu, 27 Nov 2014 12:48:14 +0100
Message-Id: <5DC4DB89-3B46-44BB-BDE0-B0D92028DEB7@openfortress.nl>
To: Frank Cusack <frank@linetwo.net>, Hugh Cole-Baker <sigmaris@gmail.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Frank & Hugh,
Thanks. It sounds rather silly to me, to build such a thing and conceal the protocol — especially with Apple not active on the server market, an open protocol would seem the best choice?
There is one potential other link I found, but I’m not sure if it works — RADIUS has a (rather concealed) Auth-Type Kerberos implemented in rlm_krb5. This might be another route through which it can be achieved, but then still I’m uncertain how RADIUS would fit in with PPTP and/or L2TP.
I found a description of how to enable eduroam with Kerberos authentication — and since this is 802.1x I assumed that EAP is used.
https://www.eduroam.us/node/45
This runs inside TTLS, and that’s where I got stuck, since I assumed it always ran one of the modes of
https://tools.ietf.org/html/rfc5281#section-11.2
However, reading
https://tools.ietf.org/html/rfc5281#section-10
it appears that general AVPs for RADIUS / DIAMETER are supported — and that includes RADIUS’ support for Kerberos authentication. Except that it is not supported by the IANA registry,
http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-10
This continues to puzzle me… one, the incredible path to get to Kerberos as a result of all these generic switch points, and second, the lack of an official spec for this use of Kerberos.
Cheers,
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
