PPTP / L2TP with Kerberos -- what specs does it follow?

Rick van Rein rick at openfortress.nl
Thu Nov 27 06:48:14 EST 2014


Hi Frank & Hugh,

Thanks.  It sounds rather silly to me, to build such a thing and conceal the protocol — especially with Apple not active on the server market, an open protocol would seem the best choice?

There is one potential other link I found, but I’m not sure if it works — RADIUS has a (rather concealed) Auth-Type Kerberos implemented in rlm_krb5.  This might be another route through which it can be achieved, but then still I’m uncertain how RADIUS would fit in with PPTP and/or L2TP.

I found a description of how to enable eduroam with Kerberos authentication — and since this is 802.1x I assumed that EAP is used.
https://www.eduroam.us/node/45

This runs inside TTLS, and that’s where I got stuck, since I assumed it always ran one of the modes of
https://tools.ietf.org/html/rfc5281#section-11.2
However, reading
https://tools.ietf.org/html/rfc5281#section-10
it appears that general AVPs for RADIUS / DIAMETER are supported — and that includes RADIUS’ support for Kerberos authentication.  Except that it is not supported by the IANA registry,
http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-10

This continues to puzzle me… one, the incredible path to get to Kerberos as a result of all these generic switch points, and second, the lack of an official spec for this use of Kerberos.

Cheers,
 -Rick


More information about the Kerberos mailing list