PPTP / L2TP with Kerberos -- what specs does it follow?
Frank Cusack
frank at linetwo.net
Fri Nov 28 03:51:36 EST 2014
On Fri, Nov 28, 2014 at 12:29 AM, Rick van Rein <rick at openfortress.nl>
wrote:
> Here is a detailed discussion of how to configure FreeRADIUS to use
> Kerberos with 802.1x authentication:
>
> http://freeradius.1045715.n5.nabble.com/802-1x-amp-kerberos-td2765708.html
>
That discussion is how to setup a PAP request inside an EAP-TTLS tunnel,
which is then backended by Kerberos. IOW, the client has to send the
password. This is rather server-specific (how to configure different
authentication databases) and not really a "Kerberos" authentication.
I didn't read the document, but from the name of it the EAP-GSS method I
noted earlier would be a true Kerberos authentication -- the client has to
pass on a kerberos token, not a password. It sounded like that's what you
were going after. I'm wouldn't be surprised if this isn't well
implemented/supported/documented. It would require the KDC to be out in
the open (to get the ticket used for the VPN auth) and most folks aren't
going to do that.
More information about the Kerberos
mailing list