[36626] in Kerberos
Re: PPTP / L2TP with Kerberos -- what specs does it follow?
daemon@ATHENA.MIT.EDU (Frank Cusack)
Fri Nov 28 17:54:27 2014
MIME-Version: 1.0
In-Reply-To: <D4AA6C47-7A7D-42CB-97E2-FA8A932CBC63@openfortress.nl>
Date: Fri, 28 Nov 2014 00:51:36 -0800
Message-ID: <CAAyYNQjfsKNxCDp-TFdHAwJsL4MKKE5YUR_C8N0z_w386tofjA@mail.gmail.com>
From: Frank Cusack <frank@linetwo.net>
To: Rick van Rein <rick@openfortress.nl>
Cc: Hugh Cole-Baker <sigmaris@gmail.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Nov 28, 2014 at 12:29 AM, Rick van Rein <rick@openfortress.nl>
wrote:
> Here is a detailed discussion of how to configure FreeRADIUS to use
> Kerberos with 802.1x authentication:
>
> http://freeradius.1045715.n5.nabble.com/802-1x-amp-kerberos-td2765708.html
>
That discussion is how to setup a PAP request inside an EAP-TTLS tunnel,
which is then backended by Kerberos. IOW, the client has to send the
password. This is rather server-specific (how to configure different
authentication databases) and not really a "Kerberos" authentication.
I didn't read the document, but from the name of it the EAP-GSS method I
noted earlier would be a true Kerberos authentication -- the client has to
pass on a kerberos token, not a password. It sounded like that's what you
were going after. I'm wouldn't be surprised if this isn't well
implemented/supported/documented. It would require the KDC to be out in
the open (to get the ticket used for the VPN auth) and most folks aren't
going to do that.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
