On Fri, Sep 27, 2013 at 6:34 AM, Alan DeKok <aland@deployingradius.com>wrote:
Don wrote:
I tried one of these inside "gtc" sub-section of eap.conf, that don't seem to work: auth_type = ntlm_auth
Setting that *should* be one step of a working configuration.
Ok, thank you for confirming that the above is one step towards working configuration.
or ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}"
Set where? You have been *very* vague about what you're doing. Is it a secret?
Nothing secret, as I said I tried both configuration (one at a time) inside "gtc" sub-section of eap.conf.
Though I haven't tried replacing User-Password with Cleartext-Password.
Don't do that. Trying random things is *always* a bad idea.
Thank you for confirming again. I won't change it in this case.
Do I have to place this under "gtc" sub-section inside inner-eap?
No. You have to configure the ntlm_auth module, and the ntlm_auth sub-section of the "authenticate" section. All of that is documented in the deployingradius.com page.
See my comment earlier. Did I place the configuration at the right sub-section?
I have no idea. You've been careful to say as little as possible, in a manner which is as confusing as possible.
The two configurations mentioned earlier, I tried it both inside "gtc" sub-section of eap.conf.
Yes, I saw the ntlm_auth configuration under modules/mschap and modules/ntlm_auth. As stated in my first email, I am able to configure freeRadius to authenticate against our Active Directory using EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will work as well.
It WILL work. Just set "auth_type = ntlm_auth" in the gtc configuration. As I said.
I did that, but that didn't work. Perhaps I didn't configure the ntlm_auth module though there is modules/ntlm_auth created when I configured EAP-MSCHAPv2 with ntlm_auth.
As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth = "/usr/bin/ntlm_auth ..." command execution, but that don't work.
So... rather than following instruction,s you're trying random things.
How about running it in debugging mode, as suggested in the FAQ, "man" page, web pages, and daily on this list?
The reason we recommend it is that IT WORKS. If you're trying random nonsense, you're wasting your time, and ours.
So far I have tried adding two configurations inside "gtc" sub-section of eap.conf. Nothing else was touched. I did run in debug mode (with -XX) and I will capture the error later.
The reason I am asking the question of multiple challenges because I am currently evaluating another vendor solution for multi-factor authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2 additional inputs during authentication. Here is the link: https://www.duosecurity.com/docs/netmotion. I thought if they can do it, freeRadius can do it as well.
The issue is the EAP-GTC specification, and the clients. Last I recall, it didn't support multiple challenge-responses.
If it does, then it's possible to upgrade FreeRADIUS to do it. As always,
My understanding about RADIUS is that client sends AccessRequest and wait for either: AccessReject, AccessAccept, or AccessChallenge. If it gets AccessChallenge and later gets another AccessChallenge again, it will response, until it gets AccessAccept or AccessReject. The client that I am using is NetMotion Mobility XE. Thank you once again for your response. Apologize if I am wasting your time, not my intention.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html