Levavi, Yariv wrote:
We are configuring EAP-GTC in our FreeRADIUS environment (please note that SAS is our authentication server):
There's no need to post huge diagrams to the list. We're already aware of how EAP works.
1) Do you happen to know how do we obtain the plain password provided in the first Access Response message?
There is no plain-text password in the first message. Perhaps you could look at the debug output to see what's going on.
2) The PEAP (which is actually a freeRadius instance) is currently configured is to work to proxy all access requests. This is done by setting the “users” configuration file redirect every incoming access request (DEFAULT FreeRADIUS-Proxied-to == 127.0.0.1, Proxy-to-Realm := DEFAULT). Do you know if there is way to apply redirection upon demand (in our case we would like to handle the first access request locally by verifying the username and password against the AD and redirect only the second access request, containing the user’s OTP).
Yes. Write "unlang" statements to check for a condition, and then forward only if the condition is met. If you want a more specific answer, you'll have to ask a more specific question.
3) The OTP in the second access request is provided as a plain text (over ssl). Is there any way we proxy it to freeRadius agent in a secure way (e.g. MSCHAP2)?
No. Proxying EAP-GTC is a bad idea. Don't do it.
4) Do you have any good references for freeRadius configuration docs?
FreeRADIUS comes with a lot of documentation. Do you have a specific question? There's also a start at full documentation here: http://networkradius.com/doc/ Alan DeKok.