Kerberos + LDAP + RADIUS?

[Mathew Rowley]

We are re-architecting our whole authentication backend, and I am having a
hard time trying to understand how Kerberos, LDAP, and RADIUS can all fit
together.  We currently use RADIUS and LDAP to do AAA, and group based
security, but we are going to want to have an SSO functionality (thus
introducing kerberos).

I think I can see how Kerberos and LDAP fit together, with group based
security:
A user will authenticate with Kerberos¹ authentication server, then attempt
to be assigned a ticket with the ticket granting server ­ the ticket
granting server will query LDAP to see if a user has access to the resource,
based on the groups that user is a part of.

My problem is trying to figure out where RADIUS comes into the mix.  It
seems like there can be two options, but both seem to have problems:
1. Have authentication point to Kerberos server which will authenticate
against radius : but this doesn¹t make sense because when you authenticate
against Kerberos, there is no password passed from client to server, so how
will Kerberos be able to tell if that user/pass is accepted via Radius.
2. Have authentication point to radius, and have it authenticate against
Kerberos : this defeats a whole security aspect of Kerberos ­ not passing
the  users password to the server, and how is it possible for the client to
have the Kerberos ticket?

Maybe I am missing something, or maybe this is just not possible.  Any
insight/tutorials/etc. would be helpful ­ there is not much on this topic
available.  Thanks.

-- 
MAT