John Mok wrote:
Hi,
I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that
access point authenticates WLAN users via Kerberos (or GSSAPI /
Kerberos) and grant access to the wired network upon successful
authentication.
Is FreeRADIUS the right tool to use? If so, I hope someone could point
to the documentation how to set it up. Is there any requirement on the
access point, e.g. support for 802.1X is sufficient?
Since there is no (deployed) EAP-GSS or EAP-Kerberos, this basically
means taking the usernames plaintext password and doing a "kinit" with it.
This means you will need to do EAP-TTLS/PAP, which requires installing
software on Windows clients, because windows doesn't support TTLS.
The common choice for windows clients ie EAP-PEAP/MSCHAPv2, with the
MSCHAP checked against Active Directory using Samba in domain-member
mode and the ntlm_auth helper.
But yes - once you've got EAP-TTLS/PAP working, you can check the PAP
request against Kerberos.
For more info, see here:
http://deployingradius.com/documents/protocols/compatibility.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
