Hi Thomas , Thank you for your concern ,
following are some thoughts about this topic : IMHO, what makes wireless networks an interesting topic when considering Authentication is the mobile connectivity which is technically implemented by "roaming" and handovers. These two properties make wireless clients different from fixed IP clients. I think that proxying Kerberos ( at AS or gateways) is not specific to wireless networks, someone might require dynamic address allocation and bootstrapping of fixed hosts and use bootstrapping protocols in addition to proxying Kerberos authentication at the network's borders (like in Dial-In network access providers). when some visiting user would like to connect to a foreign wireless network, In addition to the bootstrapping problem, the actual protocol defined by IAKERB does not allow the operator to authenticate the visiting user since he/she is not registered in the local DB. Hence there is need to extend the proxy properties to perform inter-realm operations (to communicate with the user's home realm ) for authenticating roaming users. The EAP-KERBEROS method would allow the use of Kerberos in several EAP based frameworks ( IPSEC, PANA ..) but would not completely solve the problem of Kerberos-based authentication in wireless networks. The advantage of other EAP methods compared to EAP-Keeberos (in roaming situations )is that an EAP-TLS authenticator for ex, would communicate with the client's home realm. in Kerberos this is not possible without extensions to the base protocol. > In February 05, I already thought a little bit about using > Kerberos as single logon for both * gaining access to a wireless > network and * using the offered kerberized services, so that I > began writing an EAP method which uses Kerberos, (the draft is at > http://www-public.tu-bs.de:8080/~y0013790/ , but so dramatically > immature that it is not worth to be read ;-). > > There are generally two ways how to apply Kerberos to WLAN > authentication: > > 1) The user has nothing but his username/password. The EAP- > conversation is carried out in order to authenticate at the AS and > to get a TGT. From this point, the client uses this TGT to request > the TGS for service tickets. > > 2) The user has already network access and a TGT. If the user has network access then why does he need to go through a proxy. > In this case, the authenticator (access point) is a service, so > that the goal is to get a service ticket for the service "access > point, wireless network access". The service offered by the access point is attachement to the fixed network and allocation of an IP address. > Ttherefore, a proxy Kerberos Server is inside the access point and > talks EAP to the client, and talks in the other direction over IP > with the Kerberos TGS. (I think this is covered by an older > proposal, EAP-GSS). If I well understood scenario 2 : The user have a TGT but no network access ( this happen on handovers at IP level such as in MIPV6 with necessity of IP address re-allocation at each handover ). As the Access network is considered as a service, the client uses the proxy (and EAP-Kerberos) to obtain a service ticket from the TGS. > Case 1 is interesting. It would be nice if a user, types only > once, namely at the initial logon, his username password, and > subsequently get access to the network and the therein advertised > services. > > Is this situation realistic? Where could one use Kerberos in > wireless authentication otherwise? I think this is the advantage of using kerberos in Access networks. The fact that a ticket is valid for a certain period of time allows fast handovers by using the same ticket several times without requiring communication with the back-end KDCs. > > I'd be glad if you tell me your ideas, and especially if you see > the need for an EAP Kerberos method. > > Best regards, Thomas > > PS. I'm aware of the property catalogue for an EAP method, which > is intended to be used in wireless networks ( > http://www.ietf.org/rfc/rfc4017.txt ). The major issue is the > dictionary attack problem, but I think it could be mitigated by > using some strong password protocol (like the paper of Wu it > proposes). > > -- Saber ZRELLI <[EMAIL PROTECTED]> Japan Advanced Institute of Science and Technology Center of Information Science Shinoda Laboratory url : http://www.jaist.ac.jp/~zrelli gpg-id : 0x7119EA78 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos