whopeman wrote:
I am fairly new to FreeRADIUS, so pelase bear with me a bit. I have searched the forums and websites to find an implementation that allows me to configure my server to process BOTH PEAP MSCHAP and PEAP/EAP-GTC (v0 and v1). I have not found anyone trying to do this, but I am not working on a production system this is for test purposes.
Don't use PEAPv1. It's even less documented than PEAPv0. It's used by pretty much no one.
My GOAL: I am working to setup a test environment that allows us to test our products using EAP-TLS, EAP-TTLS, LEAP, PEAP/MSChap, and PEAP/EAP-GTC.
Don't use LEAP. It's insecure. Don't put it into new products, and don't allow people to configure it.
CURRENT: What I have so far is a working system that processes everything except PEAP/EAP-GTC. All authentication is performed through a local LDAP solution (setup with CLEAR-TEXT again testing not production).
FreeRADIUS does this in the default install, and contains EAP tests (src/tests) for all major EAP types.
I have run wireshark and grabbed the packet traces as well, when my client connects it requests PEAP as the preferred auth type but FR seems to be pushing v0 as the request type and does not seem to be allowing for v1. My client does not handle this gracefully.
Then the client is broken, and should be fixed.
My QUESTION: Is there an easy way to configure FR to allow for both types of requests?
Not really. By the time that the client has sent a PEAPv1 request, the EAP session has started. You can't switch EAP sessions from the "eap" module to the "eap2" module.
I have been looking at the virtual server options without much luck in understanding how to configure a secondary virtual server to provide a GTC interface. If that is a recommendation, any guidance on setting up a straight EAP-GTC via LDAP virtual server would be appreciated.
Read eap.conf. Look for "gtc". This is documented. It works in the default install. Alan DeKok.