EAP-Kerberos

Saber Zrelli zrelli at jaist.ac.jp
Sun Jul 17 12:01:53 EDT 2005 

Hi Thomas , 

Thank you for your concern , 

following are some thoughts about this topic : 

IMHO, what makes wireless networks an interesting topic when
considering Authentication is the mobile connectivity which is
technically implemented by "roaming" and handovers. These two
properties make wireless clients different from fixed IP clients. I
think that proxying Kerberos ( at AS or gateways) is not specific to
wireless networks, someone might require dynamic address allocation
and bootstrapping of fixed hosts and use bootstrapping protocols in
addition to proxying Kerberos authentication at the network's
borders (like in Dial-In network access providers). 

when some visiting user would like to connect to a foreign wireless
network, In addition to the bootstrapping problem, the actual
protocol defined by IAKERB does not allow the operator to
authenticate the visiting user since he/she is not registered in
the local DB. Hence there is need to extend the proxy properties to
perform inter-realm operations (to communicate with the user's home
realm ) for authenticating roaming users. 

The EAP-KERBEROS method would allow the use of Kerberos in several
EAP based frameworks ( IPSEC, PANA ..) but would not completely
solve the problem of Kerberos-based authentication in wireless
networks.

The advantage of other EAP methods compared to EAP-Keeberos (in
roaming situations )is that an EAP-TLS authenticator for ex, would
communicate with the client's home realm. in Kerberos this is not
possible without extensions to the base protocol. 

> In February 05, I already thought a little bit about using
> Kerberos as single logon for both * gaining access to a wireless
> network  and * using the offered kerberized services, so that I
> began writing an EAP method which uses Kerberos, (the draft is at
> http://www-public.tu-bs.de:8080/~y0013790/ , but so dramatically
> immature that it is not worth to be read ;-).
> 
> There are generally two ways how to apply Kerberos to WLAN
> authentication: 
> 
> 1) The user has nothing but his username/password. The EAP-
> conversation is carried out in order to authenticate at the AS and
> to get a TGT. From this point, the client uses this TGT to request
> the TGS for service tickets. 
> 
> 2) The user has already network access and a TGT.
If the user has network access then why does he need to go through a
proxy.

> In this case, the authenticator (access point) is a service, so
> that the goal is to get a service ticket for the service "access
> point, wireless network access".

The service offered by the access point is attachement to the fixed
network and allocation of an IP address. 

> Ttherefore, a proxy Kerberos Server is inside the access point and
> talks EAP to the client, and talks in the other direction over IP
> with the Kerberos TGS. (I think this is covered by an older
> proposal, EAP-GSS).

If I well understood scenario 2 : The user have a TGT but no network
access ( this happen on handovers at IP level such as in MIPV6 with
necessity of IP address re-allocation at each handover ). 

As the Access network is considered as a service, the client uses
the proxy (and EAP-Kerberos) to obtain a service ticket from the TGS. 

 
> Case 1 is interesting. It would be nice if a user, types only
> once, namely at the initial logon, his username password, and
> subsequently get access to the network and the therein advertised
> services. 
> 
> Is this situation realistic? Where could one use Kerberos in
> wireless authentication otherwise?

I think this is the advantage of using kerberos in Access networks. 
The fact that a ticket is valid for a certain period of time allows
fast handovers by using the same ticket several times without
requiring communication with the back-end KDCs.  


> 
> I'd be glad if you tell me your ideas, and especially if you see
> the need for an EAP Kerberos method. 
> 
> Best regards, Thomas
> 
> PS. I'm aware of the property catalogue for an EAP method, which
> is intended to be used in wireless networks (
> http://www.ietf.org/rfc/rfc4017.txt ). The major issue is the
> dictionary attack problem, but I think it could be mitigated by
> using some strong password protocol (like the paper of Wu it
> proposes).
> 
> 

-- 
Saber ZRELLI <zrelli at jaist.ac.jp>
Japan Advanced Institute of Science and Technology
Center of Information Science
Shinoda Laboratory
url     : http://www.jaist.ac.jp/~zrelli
gpg-id  : 0x7119EA78

More information about the Kerberos mailing list