9

Is Radius just a better version of Kerberos? I can't find anything about this. If you set up a Radius server in a modern network do you need Kerberos at all?

User104163
  • 409
  • 2
  • 6
  • 11

2 Answers2

12

Kerberos will take verify your credentials and give you a "ticket" that you can use to prove to other systems/services that you are you. The ticket will expire, and doesn't contain your credentials. You have to be on the network for this to work. More information on Kerberos can be found here: MIT - Kerberos

RADIUS is a way to get on the network. You give your credentials, and they will be checked before you are allowed access to the network. More information on RADIUS can be found here: Wikipedia Entry

So when you are trying to access a network, you provide your credentials and RADIUS will check to see if you are allowed on the network. If you have wrong credentials, you don't get on.

After you are on the network, you will want to have access to other services, i.e. email. This is where Kerberos comes in. You authenticate to Kerberos, if you check out ok, Kerberos will give the ticket, (think of a pass) that you can use to access those other services without having to spread your actual credentials everywhere.

Stephen Spencer
  • 1,042
  • 8
  • 8
  • So they're completely different things? Should both be installed in a network? – User104163 May 24 '16 at 17:56
  • 1
    Yes, they serve different functions, but both deal with credentials. As far as installing, it depends on what you want in the network. – Stephen Spencer May 24 '16 at 17:59
  • So, a campus network needs both. It needs Radius to authenticate clients who want to log in to the network, and it needs Kerberos to authenticate clients who want to use specific services in that network? – User104163 May 24 '16 at 18:11
  • 2
    *Needs* is a strong word. You *could* use that set-up, or a completely different one. Newer tech is being developed all the time. You could look into OAuth or some others. – Stephen Spencer May 24 '16 at 18:25
  • @StephenSpencer, just wanted to suggest you replace the software-specific GNU Radius link in your answer above, with a more general description of RADIUS. For example, [the Wikipedia entry](https://en.wikipedia.org/wiki/RADIUS). – Forest Monsen May 24 '16 at 18:31
  • One is about giving you access to the network. The other is about being able to give creditionals to join the network. – Ramhound May 24 '16 at 20:46
  • Sorry if this is late, does Kerberos still get used in modern networks or should something better be used? – User104163 May 26 '16 at 18:30
9

Radius task/purpose is to authenticate you at the specific point, i.e. in a web interface or pptp dialup-like server. Every point that needs authentication does a query to a Radius server for your credentials like login and password.

Kerberos task/purpose is to distribute a trust to your session to all points connected/registered : you're performing your full authentication with your login and password only once, and in case of success you're granted a ticket that you will provide to all the points of authentication that trust that Kerberos server. And until the ticket is valid(it can be revoked and it has a lifetime timer) you're not authenticating at these points : you're just providing your ticket instead and they're assuming(not authenticating!) that it is you.

Alexey Vesnin
  • 1,565
  • 1
  • 8
  • 11