EAP-PEAP GTC vs MSCHAPv2

[Don]

On Fri, Sep 27, 2013 at 6:34 AM, Alan DeKok <aland at deployingradius.com>wrote:

> Don wrote:
> > I tried one of these inside "gtc" sub-section of eap.conf, that don't
> > seem to work:
> >         auth_type = ntlm_auth
>
>   Setting that *should* be one step of a working configuration.
>

Ok, thank you for confirming that the above is one step towards working
configuration.


>
> > or
> >         ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}"
>
>   Set where?  You have been *very* vague about what you're doing.  Is it
> a secret?
>

Nothing secret, as I said I tried both configuration (one at a time) inside
"gtc" sub-section of eap.conf.


>
> > Though I haven't tried replacing User-Password with Cleartext-Password.
>
>   Don't do that.  Trying random things is *always* a bad idea.
>

Thank you for confirming again. I won't change it in this case.


>
> > Do I have to place this under "gtc" sub-section inside inner-eap?
>
>   No.  You have to configure the ntlm_auth module, and the ntlm_auth
> sub-section of the "authenticate" section.  All of that is documented in
> the deployingradius.com page.
>
> > See my comment earlier. Did I place the configuration at the right
> > sub-section?
>
>   I have no idea.  You've been careful to say as little as possible, in
> a manner which is as confusing as possible.
>

The two configurations mentioned earlier, I tried it both inside "gtc"
sub-section of eap.conf.


> > Yes, I saw the ntlm_auth configuration under modules/mschap and
> > modules/ntlm_auth. As stated in my first email, I am able to configure
> > freeRadius to authenticate against our Active Directory using
> > EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will
> > work as well.
>
>   It WILL work.  Just set "auth_type = ntlm_auth" in the gtc
> configuration.  As I said.
>

I did that, but that didn't work. Perhaps I didn't configure the ntlm_auth
module though there is modules/ntlm_auth created when I configured
EAP-MSCHAPv2 with ntlm_auth.


>
> > As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth
> > = "/usr/bin/ntlm_auth ..." command execution, but that don't work.
>
>   So... rather than following instruction,s you're trying random things.
>
>   How about running it in debugging mode, as suggested in the FAQ, "man"
> page, web pages, and daily on this list?
>
>   The reason we recommend it is that IT WORKS.  If you're trying random
> nonsense, you're wasting your time, and ours.
>

So far I have tried adding two configurations inside "gtc" sub-section of
eap.conf. Nothing else was touched. I did run in debug mode (with -XX) and
I will capture the error later.


>
> > The reason I am asking the question of multiple challenges because I am
> > currently evaluating another vendor solution for multi-factor
> > authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
> > additional inputs during authentication. Here is the
> > link: https://www.duosecurity.com/docs/netmotion. I thought if they can
> > do it, freeRadius can do it as well.
>
>   The issue is the EAP-GTC specification, and the clients.  Last I
> recall, it didn't support multiple challenge-responses.
>
>   If it does, then it's possible to upgrade FreeRADIUS to do it.  As
> always,
>

My understanding about RADIUS is that client sends AccessRequest and wait
for either: AccessReject, AccessAccept, or AccessChallenge. If it gets
AccessChallenge and later gets another AccessChallenge again, it will
response, until it gets AccessAccept or AccessReject. The client that I am
using is NetMotion Mobility XE.

Thank you once again for your response. Apologize if I am wasting your
time, not my intention.


> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130927/940f2071/attachment.html>