Hello,


We are configuring EAP-GTC in our FreeRADIUS environment (please note that SAS is our authentication server):

Radius Client
SAS freeRadius agent
 

 


PEAP (freeRadius) SASAccess Request (username password over EAP-GTC)TokenValidator Web ServiceVerify user and password with Active DirectoryAccess  Challenge Response  (EAP-GTC)Second Access Request (OTP over EAP-GTC)Access Request  (OTP over PAP)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Our questions are:

1)      Do you happen to know how do we obtain the plain password provided in the first Access Response message? Currently we attempt to access the active directory by running an external execution program. This means we need to get the password attribute via freeRadius attributes/environment. If we fail to find a way to get the password information from freeRadius environment then we would consider changing our design by writing a freeRadius code module.

 

2)      The PEAP (which is actually a freeRadius instance) is currently configured is to work to proxy all access requests. This is done by setting the “users” configuration file redirect every incoming access request (DEFAULT FreeRADIUS-Proxied-to == 127.0.0.1, Proxy-to-Realm := DEFAULT). Do you know if there is way to apply redirection upon demand (in our case we would like to handle the first access request locally by verifying the username and password against the AD and redirect only the second access request, containing the user’s OTP).

 

3)      The OTP in the second access request is provided as a plain text (over ssl). Is there any way we proxy it to freeRadius agent in a secure way (e.g. MSCHAP2)?

 

4)      Do you have any good references for freeRadius configuration docs?

 

 

 

Regards,

 

Yariv Levavi

SafeNet's Integration Team

 

The information contained in this electronic mail transmission 
may be privileged and confidential, and therefore, protected 
from disclosure. If you have received this communication in 
error, please notify us immediately by replying to this 
message and deleting it from your computer without copying 
or disclosing it.