Hi Frank, > I didn't read the document, but from the name of it the EAP-GSS method I > noted earlier would be a true Kerberos authentication -- the client has to > pass on a kerberos token, not a password. It sounded like that's what you > were going after.
Yes, it is, ideally. > I'm wouldn't be surprised if this isn't well > implemented/supported/documented. It would require the KDC to be out in the > open (to get the ticket used for the VPN auth) and most folks aren't going to > do that. Interesting observation. When we go cross-realm, we’ll have to open our KDCs to the public… at least the TGS part, but that’s undistinguishable from the AS part (same SRV record)… -Rick ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
