Providing EAP-based Kerberos pre-authentication and advanced authorization for network federations

Kerberos is a well-known standard protocol which is becoming one of the most widely deployed for authentication and key distribution in application services. However, whereas service providers use the protocol to control their own subscribers, they do not widely deploy Kerberos infrastructures to handle subscribers coming from foreign domains, as happens in network federations. Instead, the deployment of Authentication, Authorization and Accounting (AAA) infrastructures has been preferred for that operation. Thus, the lack of a correct integration between these infrastructures and Kerberos limits the service access only to service provider's subscribers. To avoid this limitation, we design an architecture which integrates a Kerberos pre-authentication mechanism, based on the use of the Extensible Authentication Protocol (EAP), and advanced authorization, based on the standards SAML and XACML, to link the end user authentication and authorization performed through an AAA infrastructure with the delivery of Kerberos tickets in the service provider's domain. We detail the interfaces, protocols, operation and extensions required for our solution. Moreover, we discuss important aspects such as the implications on existing standards.

Research Highlights
► Providing Kerberos-based services in federated networks without cross-realm support.
► End users authentication by means of EAP & AAA, authorization based on SAML & XACML.
► Alternatives to transport EAP between end user and KDC: Kerb/EAP and Kerb/GSSAPI/EAP.
► Main Kerb/EAP pro is simplicity, while Kerb/GSSAPI/EAP provides higher flexibility.
► Analyzed aspects related with the deployment, integration and security.