PPTP / L2TP with Kerberos -- what specs does it follow?
Rick van Rein
rick at openfortress.nl
Thu Nov 27 06:48:14 EST 2014
Hi Frank & Hugh,
Thanks. It sounds rather silly to me, to build such a thing and conceal the protocol — especially with Apple not active on the server market, an open protocol would seem the best choice?
There is one potential other link I found, but I’m not sure if it works — RADIUS has a (rather concealed) Auth-Type Kerberos implemented in rlm_krb5. This might be another route through which it can be achieved, but then still I’m uncertain how RADIUS would fit in with PPTP and/or L2TP.
I found a description of how to enable eduroam with Kerberos authentication — and since this is 802.1x I assumed that EAP is used.
https://www.eduroam.us/node/45
This runs inside TTLS, and that’s where I got stuck, since I assumed it always ran one of the modes of
https://tools.ietf.org/html/rfc5281#section-11.2
However, reading
https://tools.ietf.org/html/rfc5281#section-10
it appears that general AVPs for RADIUS / DIAMETER are supported — and that includes RADIUS’ support for Kerberos authentication. Except that it is not supported by the IANA registry,
http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-10
This continues to puzzle me… one, the incredible path to get to Kerberos as a result of all these generic switch points, and second, the lack of an official spec for this use of Kerberos.
Cheers,
-Rick
More information about the Kerberos
mailing list