As a RADIUS client, does the MIT KDC support EAP, PEAP, or similar authentication mechanisms?
Dickinson, Luke
ldickin at sandia.gov
Thu Jun 6 13:47:04 EDT 2019
When using the FAST OTP preauthentication module for the KDC, the OTP is passed to the KDC over an encrypted FAST channel. The KDC then passes the OTP over to a RADIUS server.
When the KDC communicates with a RADIUS server, can this be done over a more secure method such as EAP or PEAP?
When OTP was first implemented in version 1.12, support for EAP was not included as stated here http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS : "RADIUS is not FIPS compliant due to the use of MD5 in the protocol. EAP might make RADIUS FIPS compliant and Fedora ships a libeap. Integration of EAP is not planned at this time".
Has integration of EAP been included in more recent versions? If not, is there any plan to?
Thanks,
Luke
More information about the Kerberos
mailing list