What's the difference between Radius and Kerberos?

Kerberos will take verify your credentials and give you a "ticket" that you can use to prove to other systems/services that you are you. The ticket will expire, and doesn't contain your credentials. You have to be on the network for this to work. More information on Kerberos can be found here: MIT - Kerberos

RADIUS is a way to get on the network. You give your credentials, and they will be checked before you are allowed access to the network. More information on RADIUS can be found here: Wikipedia Entry

So when you are trying to access a network, you provide your credentials and RADIUS will check to see if you are allowed on the network. If you have wrong credentials, you don't get on.

After you are on the network, you will want to have access to other services, i.e. email. This is where Kerberos comes in. You authenticate to Kerberos, if you check out ok, Kerberos will give the ticket, (think of a pass) that you can use to access those other services without having to spread your actual credentials everywhere.


Radius task/purpose is to authenticate you at the specific point, i.e. in a web interface or pptp dialup-like server. Every point that needs authentication does a query to a Radius server for your credentials like login and password.

Kerberos task/purpose is to distribute a trust to your session to all points connected/registered : you're performing your full authentication with your login and password only once, and in case of success you're granted a ticket that you will provide to all the points of authentication that trust that Kerberos server. And until the ticket is valid(it can be revoked and it has a lifetime timer) you're not authenticating at these points : you're just providing your ticket instead and they're assuming(not authenticating!) that it is you.