The LDAP server I'm authenticating against is Lotus Domino, which stores user password in a Lotus-specific encryption. The only way to use freeradius to authenticate against it is with "bind as user".
Talk about "painting yourself into a corner".
The thing that I don't get yet is why on normal radius packet (without PEAP-GTC) I don't have to set Auth-Type explicitly, yet the ldap module can use either user password stored in LDAP or bind as user. With gtc on the other hand, I have to FORCE gtc to use Auth-Type LDAP.
RFC: "The EAP GTC method is intended for use with the Token Cards supporting challenge/response authentication and MUST NOT be used to provide support for cleartext passwords in the absence of a protected tunnel with server authentication."
I was hoping that with gtc set to pap the inner-tunnel can use multiple modules to authenticate, including bind as user when using LDAP.
EAP TTLS/PAP. Ivan Kalik Kalik Informatika ISP