[38551] in Kerberos
As a RADIUS client, does the MIT KDC support EAP, PEAP, or similar
daemon@ATHENA.MIT.EDU (Dickinson, Luke)
Thu Jun 6 13:47:40 2019
From: "Dickinson, Luke" <ldickin@sandia.gov>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Thu, 6 Jun 2019 17:47:04 +0000
Message-ID: <b83734f478d94854876d8bcdf4fc3288@ES03AMSNLNT.srn.sandia.gov>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
When using the FAST OTP preauthentication module for the KDC, the OTP is passed to the KDC over an encrypted FAST channel. The KDC then passes the OTP over to a RADIUS server.
When the KDC communicates with a RADIUS server, can this be done over a more secure method such as EAP or PEAP?
When OTP was first implemented in version 1.12, support for EAP was not included as stated here http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS : "RADIUS is not FIPS compliant due to the use of MD5 in the protocol. EAP might make RADIUS FIPS compliant and Fedora ships a libeap. Integration of EAP is not planned at this time".
Has integration of EAP been included in more recent versions? If not, is there any plan to?
Thanks,
Luke
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
