On Fri, Feb 27, 2009 at 9:54 PM, <tnt@kalik.net> wrote:
The thing that I don't get yet is why on normal radius packet (without PEAP-GTC) I don't have to set Auth-Type explicitly, yet the ldap module can use either user password stored in LDAP or bind as user. With gtc on the other hand, I have to FORCE gtc to use Auth-Type LDAP.
RFC: "The EAP GTC method is intended for use with the Token Cards supporting challenge/response authentication and MUST NOT be used to provide support for cleartext passwords in the absence of a protected tunnel with server authentication."
Let me rephrase my question to several different parts : (1) eap.conf says # Generic Token Card. # # Currently, this is only permitted inside of EAP-TTLS, # or EAP-PEAP. The module "challenges" the user with # text, and the response from the user is taken to be # the User-Password. I take it that means EAP-PEAP (as well ass EAP-TTLS) provides protected tunnel already, and as such when used in PEAP-GTC, it may be used to provide support for cleartext password. Is my interpretation correct? (2) What is the difference (security-wise) between setting auth-type PAP and LDAP within PEAP-GTC, since both have clear-text passwords inside the GTC tunnel? (3) Why is the authorize/authentication combo beahvior between main radiusd.conf and inner-tunnel different with regards to LDAP bind as user? Is it : a. Design choice (e.g programmers choice, or to comply with RFP or other standards), or b. A bug