On Fri, Mar 12, 2004 at 03:00:02PM -0500, Kurt Jeschke wrote: > I have been watching the conversations recently about who is using which > RADIUS. I am curious, though, as to how those who use Kerberos > authentication are planning to implement 802.1x and 802.11i? Is anyone > looking at using EAP-TTLS-PAP with a FreeRADIUS proxy to an MIT K5 KDC? > > Kurt
At Penn, we're also (reluctantly) looking at EAP-TTLS with PAP as the "inner" authentication method. We were really hoping for the the emergence of an EAP method that used Kerberos natively, but things don't look very promising on this front. EAP-GSS didn't pan out for a variety of reasons. And a planned attempt by the IETF's Kerberos working group to develop an EAP-Kerberos method hasn't begun yet. In the meantime, we're considering a deployment of EAP-TTLS to tunnel the user's Kerberos password to the RADIUS server, which subsequently performs Kerberos password verification against our KDCs. We're averse to any solution that involves the transmission of a Kerberos password over the network (even if it's encrypted in TLS,) but don't currently have any good alternatives for 802.1X/802.11i. We use Radiator (http://www.open.com.au/radiator/), for which we've written our own Kerberos password verification module. I'm also interested in finding out what the other Kerberos schools are doing. --- Shumon Huque 3401 Walnut Street, Suite 221A, Network Engineering Philadelphia, PA 19104-6228, USA. Information Systems & Computing (215)898-2477, (215)898-9348 (Fax) University of Pennsylvania / MAGPI. E-mail: [EMAIL PROTECTED] ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
