A Krb5 EAP Method - PowerPoint PPT Presentation

About This Presentation
Title:

A Krb5 EAP Method

Description:

Pass AP-REP in link-level auth. frame. IETF-55. Krb-wg. IHTFP Consulting ... processes the AP-REQ, sends an AP-REP via EAP, and then sends keys to the NAS ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 7
Provided by: ietf
Learn more at: https://www.ietf.org
Category:
Tags: eap | krb5 | method | rep

less

Transcript and Presenter's Notes

Title: A Krb5 EAP Method


1
A Krb5 EAP Method
  • Derek Atkins
  • IHTFP Consulting
  • derek_at_ihtfp.com

2
The EAP Problem
  • Purpose Authenticate Client to NAS
  • NAS Offloads Auth decisions to AuthServer
  • Goal Leverage initial authentication across
    multiple NAS connections
  • EAP Issue EAP is AS-initiated.

3
Proposed Krb5-EAP MethodKDC Exchanges
  • Client talks to NAS via Link-Layer Protocol
  • NAS encapsulates EAP in Radius to pass to AS
  • Client and AS communicate via EAP
  • Radius (AS) Server proxies KDC Messages

4
An AP-REQ Shortcut(Fast Handoff)
  • Assumes NAS is Krb5-aware
  • Pass AP-REQ in link-level authentication frame
  • Pass AP-REP in link-level auth. frame

5
Proposed Krb5-EAP MethodAP Exchange
  • Either AS or NAS can be the Kerberized Service
  • Client passes AP-REQ to AS via EAP which
  • processes the AP-REQ, sends an AP-REP via EAP,
    and then sends keys to the NAS
  • Or passes the AP-REQ to the NAS for processing

6
Why not GSS/IAKERB?
  • Desire for Needham-Schroeder (secret key)
  • No need for SPKM, Lipkey, etc.
  • Desire for fast-handoff
  • Lack of IAKERB implementations
  • Lack of SPNEGO implementations
Write a Comment
User Comments (0)
About PowerShow.com