On Oct 22, 2019, at 3:55 PM, dev@cyphermonks.org wrote:
we want to use public-key-authentication with WPA2.
I'm not clear what that means.
the appropriate method to use seems to be EAP-GTC (plain, nothing around it needed).
Except that EAP-GTC does not provide for the EAP MSK which is required for WPA2 enterprise to work. You MUST use an EAP method that generates an MSK. e.g. PEAP, TTLS, EAP-TLS, SIM, AKA, FAST But not EAP-GTC or EAP-MD5.
this (site config): authorize { update control { Auth-Type := `query-user-pubkey_decrypt-challenge_compare.script '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}' '%{Challenge}'` } } (with script returnig Accept or Reject) seems to work in general. first problem is that %{challenge} (or %{Challenge} or %{Access-Challenge}) seems not to expand to the challenge - what's the challenge's variable name?
Do you mean the EAP-GTC challenge sent to the end user? If so, it isn't in any variable. If it was, it would be documented.
the second problem is: how can the challenge be set dynamically? setting "challenge" in eap{gtc{}} to a script using `` does not work. anybody with hints on this?
You can't set the challenge dynamically. Patches are welcome. Alan DeKok.