A Krb5 EAP Method

1
A Krb5 EAP Method

• Derek Atkins
• IHTFP Consulting
• derek_at_ihtfp.com

2
The EAP Problem

• Purpose Authenticate Client to NAS
• NAS Offloads Auth decisions to AuthServer
• Goal Leverage initial authentication across
  multiple NAS connections
• EAP Issue EAP is AS-initiated.

3
Proposed Krb5-EAP MethodKDC Exchanges

• Client talks to NAS via Link-Layer Protocol
• NAS encapsulates EAP in Radius to pass to AS
• Client and AS communicate via EAP
• Radius (AS) Server proxies KDC Messages

4
An AP-REQ Shortcut(Fast Handoff)

• Assumes NAS is Krb5-aware
• Pass AP-REQ in link-level authentication frame
• Pass AP-REP in link-level auth. frame

5
Proposed Krb5-EAP MethodAP Exchange

• Either AS or NAS can be the Kerberized Service
• Client passes AP-REQ to AS via EAP which
• processes the AP-REQ, sends an AP-REP via EAP,
  and then sends keys to the NAS
• Or passes the AP-REQ to the NAS for processing

6
Why not GSS/IAKERB?

• Desire for Needham-Schroeder (secret key)
• No need for SPKM, Lipkey, etc.
• Desire for fast-handoff
• Lack of IAKERB implementations
• Lack of SPNEGO implementations