Combining Kerberos, EAP and RADIUS for better wireless authentication

The use of the Kerberos protocol in authentication for network access has several advantages. In this post, I overview why Kerberos authentication for network access control is something every admin would want to have. Then I introduce the Kernac project that is working towards a solution.

In two words : Unification and Performance.

Consider institutions using Kerberos as authentication system for controlling access to different application services (mail, ftp, web, Database, etc…). If the same Kerberos credentials can be used for network access, the users would only have to carry and remember only one single set of credentials consisting of the user name and password. Moreover, this leads to less administrative burden for the institution by avoiding the management of a separate authentication system dedicated for network access. Users would benefit from an integrated network access and Kerberos sign-on process allowing the use of the same credentials, obtained during the network access phase, to authenticate to application services. These benefits are examples of the advantage of having a unified network security solution based on the Kerberos authentication protocol.

Moreover, Kerberos is a lightweight protocol based on inexpensive symmetric key cryptography. In contrast with most popular authentication mechanisms using public key cryptography , such as TLS in conjunction with EAP, the use of symmetric keys is more adapted for small devices with low computational power. Moreover, symmetric key based authentication schemes benefit from easier deployment and maintenance since no certificate management and no PKI are involved.

The Kernac project aims at providing a WPA2/EAP supplicant and a RADIUS authentication server for implementing Kerberized network access control. The WPA2 supplicant and Kerberos capable RADIUS server are available for download from the website.

The EAP supplicant obtains Kerberos credentials (Tickets) from the appropriate Windows AD server or Kerberos KDC and use these credentials to authenticate to the network infrastructure. With the native Kerberos method, the user passowrd is never sent in clear (nor encrypted) in the network, providing better security and a true single sign-on feature.

The Kernac project uses a new EAP method, namely EAP-Kerberos. The following is an overview of how this method is used.

The access network is divided into “zones”. Each zone is managed by a RADIUS server. Physically speaking, a zone is a collection of lightweight access points. Each zone is considered as a Kerberized service and registered as such in a Kerberos KDC owned by the access network provider.

In order to gain wireless connectivity within a certain zone, the wireless client needs to first obtain Kerberos service ticket for the zone, then use the service ticket to authenticate to the RADIUS server managing the network zone.

The KERNAC wireless authentication system allows the wireless client to communicate with remote KDCs to obtain Kerberos credentials. On the other hand, the RADIUS server hosts the keytab of the zones that it manges. When the client presents a valid service ticket for the zone. The zone's RADIUS server validates the ticket and authorizes the client.

Labels: wireless, security, Kerberos