There are 2 problems We'd like to solve.
1) delegation - User does not need to be involved (after the delegation
request is made) and having KDC in play, we do not need to send the
ticket to the peer. Having (restricted) TGT at the service should be
sufficient.
2) SSO and fast reauthentication. Having TGT at the peer site would be
nice optimization to multiple auths. and would bring SSO too.
The usecase for 1) I tried to explain earlier
https://www.jiscmail.ac.uk/cgi-bin/webadmin?A2=MOONSHOT-COMMUNITY;a42cd60a.1212
Marcel
On 07/28/2013 03:36 PM, Sam Hartman wrote:
>>>>>> "Marcel" == Marcel Poul <[log in to unmask]> writes:
>
> Marcel> Hi Sam, we wanted to use KDC via Freeradius to send TGTs (or
> Marcel> other tickets) to the client (for SSO).
>
> OK.
> I'd like to better understand your problem statement.
> In general it seems that the peer and AAA server already share a
> credential. Kerberos might be an optimization, but I don't understand
> how tickets help a delegation situation where the peer is involved since
> the peer could just authenticate to the EAP server again.
>
> So, I think I'm missing something about the approach and probably about
> what problem you're working toward solving.
>
|