PPTP / L2TP with Kerberos -- what specs does it follow?

Rick van Rein rick at openfortress.nl
Fri Nov 28 03:54:41 EST 2014


Hi Frank,

> I didn't read the document, but from the name of it the EAP-GSS method I noted earlier would be a true Kerberos authentication -- the client has to pass on a kerberos token, not a password.  It sounded like that's what you were going after.

Yes, it is, ideally.

> I'm wouldn't be surprised if this isn't well implemented/supported/documented.  It would require the KDC to be out in the open (to get the ticket used for the VPN auth) and most folks aren't going to do that.

Interesting observation.  When we go cross-realm, we’ll have to open our KDCs to the public… at least the TGS part, but that’s undistinguishable from the AS part (same SRV record)…

-Rick


More information about the Kerberos mailing list