On Sep 11, 2019, at 1:53 PM, <[hidden email]> <[hidden email]> wrote:
Is it possible to send a challenge response to a user asking them to
enter a
OPT (One Time Password) token using PEAP with GTC?
Read raddb/mods-available/eap. There's a "gtc" subsection. Which contains a "challenge" parameter.
This is documented.
I have the challenge parameter set, but the user never seems to get prompted to enter their OTP password. Not sure if I have it set correctly. There is what I have configured: gtc { # The default challenge, which many clients # ignore.. challenge = "OTP Password: " # The plain-text response which comes back # is put into a User-Password attribute, # and passed to another module for # authentication. This allows the EAP-GTC # response to be checked against plain-text, # or crypt'd passwords. # # If you say "Local" instead of "PAP", then # the module will look for a User-Password # configured for the request, and do the # authentication itself. # #auth_type = PAP auth_type = ntlm_auth }
I have followed the documentation example and got this working with PAP, but our security team will not allow us to use PAP due to security concerns with the week encryption used by PAP.
Your security team is wrong. There are no known security issues with the encryption scheme used by PAP.
According to our security team, PAP uses a simple xor between the paasowrd and the hashed value of the shared secret. According to them, this would make it easy to decrypt the user passwords in intercepted packets. Regardless if this is true or not, I don't think I will be able to get them to approve us using PAP. This means I'm stuck using on of the other types.
The problem I seem to be having is that when I use "challenge" in the authenticate section of the inner-tunnel configuration it seems to break the tunnel. When I do this I get the following error message in the debug:
eap: ERROR: Failed continuing EAP GTC (6) session. EAP sub-module failed.
Don't invent things. Read the documentation. and configure the server as documented.
Alan DeKok.
I am trying to follow the documentation, but I couldn't find any examples of how to do two factor authentication other then through PAP. I found a few other posts that other users made who were having similar problems, but I didn't see any replies where they were able to get it working or how they did it. I have read through the documentation contained in the various config files and am doing my best to try an follow it, but I am having issues understanding how to do the two-factor authentication through GTC. I have the first part of the authentication working where the user sends their username and password and this gets passed through to ntlm_auth and authenticated through active directory. If the credentials are correct, the user gets logged in without being requested for the second factor. This is why I was trying to send a challenge in the authenticate section since this is how I got it to work with PAP. If I remove this from the config, the error goes way, but the user gets authenticated without being promted for the second credential. This is what my authentication section looks like with the challenge removed: authenticate { Auth-Type PAP { pap } Auth-Type MSCHAP { mschap } mschap Auth-Type ntlm_auth { ntlm_auth } eap } I'm not sure what I am missing that is preventing the users from getting prompted for the second factor.