Thing is that, colleague has a software, developed by his company, I cannot disclose which one, that can test eap-gtc,and that works. And the thing is, when he tries to connect to freeradius server I set up, he cannot auth with domain username and pw. He can auth with EAP-TLS, EAP-TTLS with PAP, EAP-mschapv1 and EAP-mschapv2 and the only thing left to try is EAP-GTC. So my question is, what need's to be done on server side to make that happen? This is server output [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/gtc [eap] processing type gtc [gtc] +- entering group PAP {...} [pap] login attempt with password "testpass" [pap] No password configured for the user. Cannot do authentication ++[pap] returns fail [eap] Handler failed in EAP/gtc [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 [ttls] Got tunneled Access-Reject SSL: Removing session 28767d93f75a91c5975ff5a5bb2862e3703de9c700b7e4e1a6db061068d2a37a from the cache [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user test [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> Anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated So my question is, what needs to be setup in order to make eap-gtc work with win2k3 domain? Thanks once again, you've been most helpful Cheers, Petar On Fri, Jun 26, 2009 at 14:10, Ivan Kalik <tnt@kalik.net> wrote:
All of this is for testing purposes. So, I just need all of those methods to work, if it can't work with domain, then cleartext password will be fine. Can you give me some more info about seting up TTLS-GTC, testing is being done on Windows XP. Also, for EAP-TTLS with chap, enabling user is enough, right?
Every method that works with passwords will work with Cleartext-Password in users file. Working with encrypted passwords is restricting choice.
wpa_supplicant has a Windows port. It should work with all the mentioned protocols. For download and documentation (installation, configuration) look up their site. Their testing tool (eapol_test) is used extensively by freeradius developers for testing EAP protocols without the hardware.
Ivan Kalik Kalik Informatika ISP