Alan, Thank you for your reply and please find my inline response below. On Thu, Sep 26, 2013 at 7:54 PM, Alan DeKok <aland@deployingradius.com>wrote:
Don wrote:
That said, if EAP-GTC can be used along with ntlm_auth how do I configure it to make that work?
Read the "gtc" sub-section of eap.conf. It tells you how to make EAP-GTC use a particular authentication method.
I tried one of these inside "gtc" sub-section of eap.conf, that don't seem to work: auth_type = ntlm_auth or ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}" Though I haven't tried replacing User-Password with Cleartext-Password. Do I have to place this under "gtc" sub-section inside inner-eap?
I tried to execute ntlm_auth passing --password=%{User-Password}, but that didn't work as User-Password is empty.
You tried *where*? That matters.
See my comment earlier. Did I place the configuration at the right sub-section?
It says in eap.conf that GTC challenges the user with text and the response from the user is taken to be the User-Password. Perhaps I am executing ntlm_auth too early before GTC Password challenge is sent out and received the response.
My questions are: 1. How can I configure freeRadius so GTC will work with ntlm_auth?
a) configure ntlm_auth as per the deployingradius.com docs, and the examples in the config files
Yes, I saw the ntlm_auth configuration under modules/mschap and modules/ntlm_auth. As stated in my first email, I am able to configure freeRadius to authenticate against our Active Directory using EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will work as well.
b) tell EAP-GTC to use ntlm_auth as per the examples in the gtc configuration.
As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth = "/usr/bin/ntlm_auth ..." command execution, but that don't work.
2. Is it possible to send subsequent GTC challenge in addition to default Password challenge? If possible, how do I configure the subsequent GTC challenge?
No. EAP-GTC is only challenge-response. It doesn't do multiple challenges.
The reason I am asking the question of multiple challenges because I am currently evaluating another vendor solution for multi-factor authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2 additional inputs during authentication. Here is the link: https://www.duosecurity.com/docs/netmotion. I thought if they can do it, freeRadius can do it as well. Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regards, Dono