PPTP / L2TP with Kerberos -- what specs does it follow?
Rick van Rein
rick at openfortress.nl
Sun Nov 30 15:33:58 EST 2014
Hi,
> Kerberos is not a complete identity solution.
As I understand Kerberos, it IS…
* a complete local authentication platform
* a statically configurable realm-xover authentication platform
…and it IS NOT…
* an on-the-fly realm-xover authentication platform
* an authorisation platform
The first one is a miss, and is being worked on (PKCROSS, the KREALM record, and ever-improving integration in of protocols).
Authorisation is out of scope, and might need something like LDAP. Note that authorisation requires trust of the protected resource, so it is usually in the same realm, just using the authenitcated identity that has done a realm-xover if necessary.
-Rick
More information about the Kerberos
mailing list