Thing is that, colleague has a software, developed by his company, I cannot disclose which one, that can test eap-gtc,and that works. And the thing is, when he tries to connect to freeradius server I set up, he cannot auth with domain username and pw. He can auth with EAP-TLS, EAP-TTLS with PAP, EAP-mschapv1 and EAP-mschapv2 and the only thing left to try is EAP-GTC. So my question is, what need's to be done on server side to make that happen?

This is server output

[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/gtc
[eap] processing type gtc
[gtc] +- entering group PAP {...}
[pap] login attempt with password "testpass"
[pap] No password configured for the user.  Cannot do authentication
++[pap] returns fail
[eap] Handler failed in EAP/gtc
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
    EAP-Message = 0x04030004
    Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
  SSL: Removing session 28767d93f75a91c5975ff5a5bb2862e3703de9c700b7e4e1a6db061068d2a37a from the cache
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user test
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> Anonymous
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated


So my question is, what needs to be setup in order to make eap-gtc work with win2k3 domain?

Thanks once again, you've been most helpful

Cheers,

Petar

On Fri, Jun 26, 2009 at 14:10, Ivan Kalik <tnt@kalik.net> wrote:
> All of this is for testing purposes. So, I just need all of those methods
> to
> work, if it can't work with domain, then cleartext password will be fine.
> Can you give me some more info about seting up TTLS-GTC, testing is being
> done on Windows XP. Also, for EAP-TTLS with chap, enabling user is enough,
> right?

Every method that works with passwords will work with Cleartext-Password
in users file. Working with encrypted passwords is restricting choice.

wpa_supplicant has a Windows port. It should work with all the mentioned
protocols. For download and documentation (installation, configuration)
look up their site. Their testing tool (eapol_test) is used extensively by
freeradius developers for testing EAP protocols without the hardware.

Ivan Kalik
Kalik Informatika ISP