Specifying Kerberos over EAP: Towards an integrated network access and Kerberos single sign-on process

Abstract

Kerberos is a widely deployed authentication system used for authenticating users to various types of application services in open networks. Network access on the other hand is a service that is generally handled separately using authentication frameworks based on the extensible authentication protocol (EAP). The EAP protocol specified by the IETF in RFC3748 is well on its way to becoming an industry standard for network access control. It provides an extensible, link layer agnostic protocol for carrying various authentication methods. In this paper, we design the integration of the Kerberos protocol as an authentication method in existing EAP-based authentication frameworks. We define the architectural elements and their interactions, then we specify the encapsulation of Kerberos messages in EAP packets. The use of Kerberos as an EAP authentication mechanism allows institutions managing their individuals using a Kerberos system to re-use the same credentials for network access authentication instead of managing a different set of credentials such as Unix passwords or public key certificates. Moreover, the proposed framework allows users to sign-on in the network as a consequence of successful network access authentication, eliminating the need for additional login procedures necessary for accessing application services.