On 2015-10-04 18:30, Tony Pugielli wrote: > Good day, I have an environment with MIT Kerberos and Active Directory. Is > there a way to keep both databases (username and password) in sync? The use > case is 802.1x authentication. EAP-GTC is not native to many devices so we > want to use Active Directory so we can take advantage of the more widely > native supplicant PEAP-MSCHAPV2. We would prefer the user only need to keep > track of one username and password. Right now the Kerberos MIT database is > widely used for their single sign-on applications.
AFAIK, you don't strictly need AD for that – if EAP is handled by FreeRADIUS, kcrap-lnf can handle MSCHAPv2 (i.e. the part ntlm_auth usually handles) directly using the MIT KDC database, as the rc4-hmac keys are compatible with what MSCHAPv2 needs. -- Mantas Mikulėnas <graw...@gmail.com> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
