Hi Frank & Hugh, Thanks. It sounds rather silly to me, to build such a thing and conceal the protocol — especially with Apple not active on the server market, an open protocol would seem the best choice?
There is one potential other link I found, but I’m not sure if it works — RADIUS has a (rather concealed) Auth-Type Kerberos implemented in rlm_krb5. This might be another route through which it can be achieved, but then still I’m uncertain how RADIUS would fit in with PPTP and/or L2TP. I found a description of how to enable eduroam with Kerberos authentication — and since this is 802.1x I assumed that EAP is used. https://www.eduroam.us/node/45 This runs inside TTLS, and that’s where I got stuck, since I assumed it always ran one of the modes of https://tools.ietf.org/html/rfc5281#section-11.2 However, reading https://tools.ietf.org/html/rfc5281#section-10 it appears that general AVPs for RADIUS / DIAMETER are supported — and that includes RADIUS’ support for Kerberos authentication. Except that it is not supported by the IANA registry, http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-10 This continues to puzzle me… one, the incredible path to get to Kerberos as a result of all these generic switch points, and second, the lack of an official spec for this use of Kerberos. Cheers, -Rick ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
