Don wrote:Setting that *should* be one step of a working configuration.
> I tried one of these inside "gtc" sub-section of eap.conf, that don't
> seem to work:
> auth_type = ntlm_auth
Set where? You have been *very* vague about what you're doing. Is it
> or
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}"
a secret?
Don't do that. Trying random things is *always* a bad idea.
> Though I haven't tried replacing User-Password with Cleartext-Password.
No. You have to configure the ntlm_auth module, and the ntlm_auth
> Do I have to place this under "gtc" sub-section inside inner-eap?
sub-section of the "authenticate" section. All of that is documented in
the deployingradius.com page.
I have no idea. You've been careful to say as little as possible, in
> See my comment earlier. Did I place the configuration at the right
> sub-section?
a manner which is as confusing as possible.
It WILL work. Just set "auth_type = ntlm_auth" in the gtc
> Yes, I saw the ntlm_auth configuration under modules/mschap and
> modules/ntlm_auth. As stated in my first email, I am able to configure
> freeRadius to authenticate against our Active Directory using
> EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will
> work as well.
configuration. As I said.
So... rather than following instruction,s you're trying random things.
> As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth
> = "/usr/bin/ntlm_auth ..." command execution, but that don't work.
How about running it in debugging mode, as suggested in the FAQ, "man"
page, web pages, and daily on this list?
The reason we recommend it is that IT WORKS. If you're trying random
nonsense, you're wasting your time, and ours.
The issue is the EAP-GTC specification, and the clients. Last I
> The reason I am asking the question of multiple challenges because I am
> currently evaluating another vendor solution for multi-factor
> authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
> additional inputs during authentication. Here is the
> link: https://www.duosecurity.com/docs/netmotion. I thought if they can
> do it, freeRadius can do it as well.
recall, it didn't support multiple challenge-responses.
If it does, then it's possible to upgrade FreeRADIUS to do it. As
always,