Re: WPA Enterprise, 802.1X, Freeradius, EAP & Kerberos

Fri, 08 May 2009 13:23:23 -0700 

Alan,
Thank you so much for your time. I truly did read the thread - many times (that's why my config worked perfectly once I changed the setting on the supplicant) and it was and is clear that you are an expert on the subject.... that's why I posted to this list. 


Those of us who are new to these concepts could not become useful  
members of the community without your help.  You've made my week, and  
I hope that I can be helpful to someone in this regard in the future.


Kindest regards,

Scott


On May 8, 2009, at 3:07 PM, Alan DeKok wrote:


Scott Sears wrote:

Here is the thread which made me think it was possible, and led me to

this list.  Apparently I've made a mistake, but perhaps you can  
explain

the difference between my goal and the one described in the thread?


 The difference is you are NOT using the EAP method recommended either
in that thread, or in my previous response.

 The debug log you posted showed MS-CHAP authentication.  That is
impossible to use with Kerneros.


PEAP supplies an MS-CHAP hash, not a clear-text password.



I understand this.  I believed that I could set up an encryption  
tunnel

and then send the cleartext securely within tunnel to the KDC.


 Yes... but you didn't do that.  The thread you pointed to, and my
message, both told you the same thing: use TTLS+PAP.

 You're not doing that.

 You won't be able to use Kerberos until you follow the instructions
posted here, and in the thread you claimed to have read.


All that being said, here is my last question:

Is it *in any way* possible to securely authorize mobile supplicants
through a wireless AP to a Freeradius server using a KDC for

authentication?  Perhaps its doable, but I'm just not on the right  
track.


 Perhaps you can try reading my messages?

 I told you how it was possible: Download SecureW2, and use TTLS+PAP.

 Rather than doing that, you've wasted your time, and mine, by asking
"how do I do it".  I already told you.  Once in that thread, and again
in my previous email message.

 Follow the instructions in the thread, and in my previous email
message.  I really can't emphasize that enough.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to