I take it that means EAP-PEAP (as well ass EAP-TTLS) provides protected tunnel already, and as such when used in PEAP-GTC, it may be used to provide support for cleartext password. Is my interpretation correct?
Yes. But you (ie. server) don't have a password (clear or encrypted) for matching.
(2) What is the difference (security-wise) between setting auth-type PAP and LDAP within PEAP-GTC, since both have clear-text passwords inside the GTC tunnel?
None.
(3) Why is the authorize/authentication combo beahvior between main radiusd.conf and inner-tunnel different with regards to LDAP bind as user? Is it : a. Design choice (e.g programmers choice, or to comply with RFP or other standards), or b. A bug
It's not. You have to tell GTC what authentication method to use. That is than set in the configuration file and can't be changed during request processing. If you leave the server to set the auth method ... If you would force DEFAULT Auth-Type := System in users file, ldap "bind as user" wouldn't work. If you put LDAP, system passwords won't work. That is in essence what GTC does. Ivan Kalik Kalik Informatika ISP