EAP-PEAP GTC vs MSCHAPv2

Don petaluma007 at gmail.com
Fri Sep 27 06:35:53 CEST 2013 

Alan,

Thank you for your reply and please find my inline response below.


On Thu, Sep 26, 2013 at 7:54 PM, Alan DeKok <aland at deployingradius.com>wrote:

> Don wrote:
> > That said, if EAP-GTC can be used along with ntlm_auth how do I
> > configure it to make that work?
>
>   Read the "gtc" sub-section of eap.conf.  It tells you how to make
> EAP-GTC use a particular authentication method.
>

I tried one of these inside "gtc" sub-section of eap.conf, that don't seem
to work:
        auth_type = ntlm_auth
or
        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{User-Name} --password=%{User-Password}"

Though I haven't tried replacing User-Password with Cleartext-Password.
Do I have to place this under "gtc" sub-section inside inner-eap?


> > I tried to execute ntlm_auth passing
> > --password=%{User-Password}, but that didn't work as User-Password is
> > empty.
>
>   You tried *where*?  That matters.
>

See my comment earlier. Did I place the configuration at the right
sub-section?


>
> > It says in eap.conf that GTC challenges the user with text and
> > the response from the user is taken to be the User-Password. Perhaps I
> > am executing ntlm_auth too early before GTC Password challenge is sent
> > out and received the response.
> >
> > My questions are:
> > 1. How can I configure freeRadius so GTC will work with ntlm_auth?
>
>   a) configure ntlm_auth as per the deployingradius.com docs, and the
> examples in the config files
>

Yes, I saw the ntlm_auth configuration under modules/mschap and
modules/ntlm_auth. As stated in my first email, I am able to configure
freeRadius to authenticate against our Active Directory using EAP-MSCHAPv2
(ntlm_auth) and I am looking to see if using EAP-GTC will work as well.


>   b) tell EAP-GTC to use ntlm_auth as per the examples in the gtc
> configuration.


As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth =
"/usr/bin/ntlm_auth ..." command execution, but that don't work.


> > 2. Is it possible to send subsequent GTC challenge in addition to
> > default Password challenge? If possible, how do I configure the
> > subsequent GTC challenge?
>
>   No.  EAP-GTC is only challenge-response.  It doesn't do multiple
> challenges.


The reason I am asking the question of multiple challenges because I am
currently evaluating another vendor solution for multi-factor
authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
additional inputs during authentication. Here is the link:
https://www.duosecurity.com/docs/netmotion. I thought if they can do it,
freeRadius can do it as well.

  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


Regards,
Dono
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130926/9ab8386b/attachment.html>

More information about the Freeradius-Users mailing list