Kerberized Network Access Control PDF Print E-mail
Written by CodeAlias   

Rating 8.5/10 (2 votes)

The use of the Kerberos  protocol in authentication for network access has several advantages. In this post, I overview why Kerberos authentication for network access control is something every admin would want to have. Then I introduce the KERNAC project that is working towards a solution.


Why Kerberos for network access control

In institutions using Kerberos as authentication system for
controlling access to different application services, if the same Kerberos credentials can be used for network access, the users would only have to carry and remember only one single set of credentials consisting of the user name and password. Moreover, this leads to less administrative burden for the institution by avoiding the management of a separate authentication system dedicated for network access. Users would benefit from an integrated network access and Kerberos sign-on process allowing the use of the same credentials, obtained during the network access phase, to authenticate to application services.

Second, Kerberos is a lightweight protocol based on inexpensive
symmetric key cryptography. In contrast with most popular authentication
mechanisms using public key cryptography , such as TLS in conjunction with EAP, the use of symmetric keys is more adapted for small devices with low computational power. Moreover, symmetric key based authentication schemes benefit from easier deployment and maintenance since no certificate management and no Public key infrastructure is involved.

The KERNAC project

The  KERNAC project aims at providing a WPA2/EAP supplicant and a RADIUS server for implementing Kerberized network access control. The WPA2 supplicant “VEAS” (Vornos EAP Supplicant) and RADIUS server “VORAS” (Vornos RADIUS Authentication Server) are available for download from the website.

The EAP supplicant obtains Kerberos credentials (Tickets) from the appropriate Windows AD server or Kerberos KDC and use these credentials to authenticate to the network infrastructure. With the native Kerberos method, the user passowrd is never sent in clear (nor encrypted) in the network, providing better security and a true single sign-on feature.

 Apart from  convenience of  using unified credentials, Kerberized network access control should perform better than existing methods. In parts due to the facts that the authorization credentials (Tickets) can be reused to authenticatie with the same RADIUS server without need to contact a remote KDC at each handover. In roaming situations this would mean less inter-domain exchanges and faster handovers.  Realm time applications such as VOIP would greately benifit from this at least while waiting for the IEEE 802.11r and other handover optimization work within the IETF.

 




Reddit!Del.icio.us!Facebook!Slashdot!Netscape!Technorati!StumbleUpon!Newsvine!Furl!Yahoo!Ma.gnolia!Free social bookmarking plugins and extensions for Joomla! websites!
Comments
Add NewSearch
Only registered users can write comments!
Powered by !JoomlaComment 3.1.1

Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved.
 
< Prev   Next >
[ Back ]
Dating/Relationships
Health/Fitness
Food/Beverage
Television
Politics
Humor
Original Stories/Poetry
Blogs
News
History
Product Reviews
Parenting
Religion
Education/Academics
Social Issues
Hobbies/Crafts
Books