Scott Sears wrote:
I cannot get all the pieces working together.
Laptop-AP-Freeradius-Kerberos.
It's impossible.
Kerberos requires a clear-text password to authenticate (or various
Kerberos crypto tokens derived from the password).
PEAP supplies an MS-CHAP hash, not a clear-text
On 8/5/09 20:00, Alan DeKok wrote:
Scott Sears wrote:
I cannot get all the pieces working together.
Laptop-AP-Freeradius-Kerberos.
It's impossible.
Kerberos requires a clear-text password to authenticate (or various
Kerberos crypto tokens derived from the password).
PEAP supplies
Alan,
Thank you for your quick and kind response.
On May 8, 2009, at 2:00 PM, Alan DeKok wrote:
Scott Sears wrote:
I cannot get all the pieces working together.
Laptop-AP-Freeradius-Kerberos.
It's impossible.
Here is the thread which made me think it was possible, and led me to
this
Hello,
I am trying to implement WPA Enterprise / 802.1X, Freeradius and
Kerberos. The client is a Linksys running DD-WRT. The Supplicant is
Mac OS Laptop. Both are most recent versions of OS.
I can exececute radtest on localhost and authenticate through
Freeradius to my KDC.
I can get my
Is it *in any way* possible to securely authorize mobile supplicants
through a wireless AP to a Freeradius server using a KDC for
authentication? Perhaps its doable, but I'm just not on the right
track.
EAP-TTLS/PAP. Native Windows supplicant can't do this but SecureW2 does.
Ivan Kalik
That's did it! I just needed to change settings on the supplicant. My
freeradius config was OK.
Thank you SO much.
On May 8, 2009, at 2:45 PM, Ivan Kalik wrote:
Is it *in any way* possible to securely authorize mobile supplicants
through a wireless AP to a Freeradius server using a KDC for
On 8/5/09 20:45, Ivan Kalik wrote:
Is it *in any way* possible to securely authorize mobile supplicants
through a wireless AP to a Freeradius server using a KDC for
authentication? Perhaps its doable, but I'm just not on the right
track.
EAP-TTLS/PAP. Native Windows supplicant can't do this
Scott Sears wrote:
Here is the thread which made me think it was possible, and led me to
this list. Apparently I've made a mistake, but perhaps you can explain
the difference between my goal and the one described in the thread?
The difference is you are NOT using the EAP method recommended
Arran Cudbard-Bell wrote:
If you use SecureW2, you can configure Windows to do TTLS+PAP. That
will supply a clear-text password in the inner tunnel, which will allow
kerberos to work.
Really? I would have thought the exchange would be far more complex than
just PAP? Surely you can't
Alan,
Thank you so much for your time. I truly did read the thread - many
times (that's why my config worked perfectly once I changed the
setting on the supplicant) and it was and is clear that you are an
expert on the subject that's why I posted to this list.
Those of us who are new
On 8/5/09 21:11, Alan DeKok wrote:
Arran Cudbard-Bell wrote:
If you use SecureW2, you can configure Windows to do TTLS+PAP. That
will supply a clear-text password in the inner tunnel, which will allow
kerberos to work.
Really? I would have thought the exchange would be far more complex
Arran Cudbard-Bell wrote:
On 8/5/09 21:11, Alan DeKok wrote:
You can't. But you can use a KDC as an authentication oracle.
RADIUS: Is this PAP password OK?
KDC: yes/no.
Does it request a TGT and then see if it can decrypt it ?
Yes, that's the basic process, it also validates the KDC.
12 matches
Mail list logo