I would like to use Kerberos with FreeRADIUS, but I don't want FreeRADIUS to have access to any passwords (hashed or otherwise), especially because such passwords may not exist if smart card authentication is used. I would much prefer for FreeRADIUS to only have access to Kerberos tickets. How can I do this?
Asked
Active
Viewed 901 times
1 Answers
4
No, unfortunately not. It's not a limitation in FreeRADIUS as much as there's no EAP method which supports Kerberos natively. The only way to do kerberos login with RADIUS is to use an EAP method that provides the credentials in the clear, and then use those to decrypt the TGT on the RADIUS server.
I've been lamenting this fact for the past 10 years, as SSO between the network layer and applications would be awesome. Unfortunately, there seems to be so much inertia in the industry that we're unlikely to ever get such an EAP method, especially as we're past peak Kerberos.
