FR + EAP-GTC + LDAP (SHA1)

Wed May 20 13:21:04 CEST 2015

Hi,

The aim and assumptions:
-configure FR to authenticate users against OpenLDAP server,
-FR would use EAP method,
-passwords in LDAP are stored as SHA1,
-according to http://deployingradius.com/documents/protocols/compatibility.html the only way to deal with LDAP auth is to use PAP or EAP-GTC. Since client forces EAP method we have no choice than EAP-GTC. Is that correct?
-clients are EAP-GTC capable,
-FR v2.2.6.

After some hours in my lab I finished with the following FR config:
1) in eap.conf:
-in eap general settings I set default_eap_type to "gtc"
-in gtc section I put "auth_type = LDAP".
2) in sites-enabled/default:
-authorize section - not touched,
-authentication section - uncomment "Auth-Type LDAP { ldap }",

And it is working fine! Now, the questions:
a) I am afraid about your comments in gtc section. It stands that:
                #  Currently, this is only permitted inside of EAP-TTLS,
                #  or EAP-PEAP.  The module "challenges" the user with
                #  text, and the response from the user is taken to be
                #  the User-Password.
                #
                #  Proxying the tunneled EAP-GTC session is a bad idea,
                #  the users password will go over the wire in plain-text,
                #  for anyone to see.
Can I use eap-gtc "alone" without PEAP/TTLS? Secure tunnel is delivered via IPsec connection so I do not bother about security in that case. What is your opinion?
b) How would you configure FR to meet mentioned above requirements?

Gabriel