All, I have successfully configured freeRadius using EAP-PEAP with: 1. GTC to authenticate user against local password 2. MSCHAPv2 to authenticate user against Active Directory via ntlm_auth following instructions on this link: http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOW... I also understand from reading this link that EAP-GTC can be used (compatible) with ntlm_auth: http://deployingradius.com/documents/protocols/compatibility.html That said, if EAP-GTC can be used along with ntlm_auth how do I configure it to make that work? I tried to execute ntlm_auth passing --password=%{User-Password}, but that didn't work as User-Password is empty. It says in eap.conf that GTC challenges the user with text and the response from the user is taken to be the User-Password. Perhaps I am executing ntlm_auth too early before GTC Password challenge is sent out and received the response. My questions are: 1. How can I configure freeRadius so GTC will work with ntlm_auth? 2. Is it possible to send subsequent GTC challenge in addition to default Password challenge? If possible, how do I configure the subsequent GTC challenge? Thank you.
Don wrote:
That said, if EAP-GTC can be used along with ntlm_auth how do I configure it to make that work?
Read the "gtc" sub-section of eap.conf. It tells you how to make EAP-GTC use a particular authentication method.
I tried to execute ntlm_auth passing --password=%{User-Password}, but that didn't work as User-Password is empty.
You tried *where*? That matters.
It says in eap.conf that GTC challenges the user with text and the response from the user is taken to be the User-Password. Perhaps I am executing ntlm_auth too early before GTC Password challenge is sent out and received the response.
My questions are: 1. How can I configure freeRadius so GTC will work with ntlm_auth?
a) configure ntlm_auth as per the deployingradius.com docs, and the examples in the config files b) tell EAP-GTC to use ntlm_auth as per the examples in the gtc configuration.
2. Is it possible to send subsequent GTC challenge in addition to default Password challenge? If possible, how do I configure the subsequent GTC challenge?
No. EAP-GTC is only challenge-response. It doesn't do multiple challenges. Alan DeKok.
Alan, Thank you for your reply and please find my inline response below. On Thu, Sep 26, 2013 at 7:54 PM, Alan DeKok <aland@deployingradius.com>wrote:
Don wrote:
That said, if EAP-GTC can be used along with ntlm_auth how do I configure it to make that work?
Read the "gtc" sub-section of eap.conf. It tells you how to make EAP-GTC use a particular authentication method.
I tried one of these inside "gtc" sub-section of eap.conf, that don't seem to work: auth_type = ntlm_auth or ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}" Though I haven't tried replacing User-Password with Cleartext-Password. Do I have to place this under "gtc" sub-section inside inner-eap?
I tried to execute ntlm_auth passing --password=%{User-Password}, but that didn't work as User-Password is empty.
You tried *where*? That matters.
See my comment earlier. Did I place the configuration at the right sub-section?
It says in eap.conf that GTC challenges the user with text and the response from the user is taken to be the User-Password. Perhaps I am executing ntlm_auth too early before GTC Password challenge is sent out and received the response.
My questions are: 1. How can I configure freeRadius so GTC will work with ntlm_auth?
a) configure ntlm_auth as per the deployingradius.com docs, and the examples in the config files
Yes, I saw the ntlm_auth configuration under modules/mschap and modules/ntlm_auth. As stated in my first email, I am able to configure freeRadius to authenticate against our Active Directory using EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will work as well.
b) tell EAP-GTC to use ntlm_auth as per the examples in the gtc configuration.
As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth = "/usr/bin/ntlm_auth ..." command execution, but that don't work.
2. Is it possible to send subsequent GTC challenge in addition to default Password challenge? If possible, how do I configure the subsequent GTC challenge?
No. EAP-GTC is only challenge-response. It doesn't do multiple challenges.
The reason I am asking the question of multiple challenges because I am currently evaluating another vendor solution for multi-factor authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2 additional inputs during authentication. Here is the link: https://www.duosecurity.com/docs/netmotion. I thought if they can do it, freeRadius can do it as well. Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regards, Dono
Don wrote:
I tried one of these inside "gtc" sub-section of eap.conf, that don't seem to work: auth_type = ntlm_auth
Setting that *should* be one step of a working configuration.
or ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}"
Set where? You have been *very* vague about what you're doing. Is it a secret?
Though I haven't tried replacing User-Password with Cleartext-Password.
Don't do that. Trying random things is *always* a bad idea.
Do I have to place this under "gtc" sub-section inside inner-eap?
No. You have to configure the ntlm_auth module, and the ntlm_auth sub-section of the "authenticate" section. All of that is documented in the deployingradius.com page.
See my comment earlier. Did I place the configuration at the right sub-section?
I have no idea. You've been careful to say as little as possible, in a manner which is as confusing as possible.
Yes, I saw the ntlm_auth configuration under modules/mschap and modules/ntlm_auth. As stated in my first email, I am able to configure freeRadius to authenticate against our Active Directory using EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will work as well.
It WILL work. Just set "auth_type = ntlm_auth" in the gtc configuration. As I said.
As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth = "/usr/bin/ntlm_auth ..." command execution, but that don't work.
So... rather than following instruction,s you're trying random things. How about running it in debugging mode, as suggested in the FAQ, "man" page, web pages, and daily on this list? The reason we recommend it is that IT WORKS. If you're trying random nonsense, you're wasting your time, and ours.
The reason I am asking the question of multiple challenges because I am currently evaluating another vendor solution for multi-factor authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2 additional inputs during authentication. Here is the link: https://www.duosecurity.com/docs/netmotion. I thought if they can do it, freeRadius can do it as well.
The issue is the EAP-GTC specification, and the clients. Last I recall, it didn't support multiple challenge-responses. If it does, then it's possible to upgrade FreeRADIUS to do it. As always,
On Fri, Sep 27, 2013 at 6:34 AM, Alan DeKok <aland@deployingradius.com>wrote:
Don wrote:
I tried one of these inside "gtc" sub-section of eap.conf, that don't seem to work: auth_type = ntlm_auth
Setting that *should* be one step of a working configuration.
Ok, thank you for confirming that the above is one step towards working configuration.
or ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}"
Set where? You have been *very* vague about what you're doing. Is it a secret?
Nothing secret, as I said I tried both configuration (one at a time) inside "gtc" sub-section of eap.conf.
Though I haven't tried replacing User-Password with Cleartext-Password.
Don't do that. Trying random things is *always* a bad idea.
Thank you for confirming again. I won't change it in this case.
Do I have to place this under "gtc" sub-section inside inner-eap?
No. You have to configure the ntlm_auth module, and the ntlm_auth sub-section of the "authenticate" section. All of that is documented in the deployingradius.com page.
See my comment earlier. Did I place the configuration at the right sub-section?
I have no idea. You've been careful to say as little as possible, in a manner which is as confusing as possible.
The two configurations mentioned earlier, I tried it both inside "gtc" sub-section of eap.conf.
Yes, I saw the ntlm_auth configuration under modules/mschap and modules/ntlm_auth. As stated in my first email, I am able to configure freeRadius to authenticate against our Active Directory using EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will work as well.
It WILL work. Just set "auth_type = ntlm_auth" in the gtc configuration. As I said.
I did that, but that didn't work. Perhaps I didn't configure the ntlm_auth module though there is modules/ntlm_auth created when I configured EAP-MSCHAPv2 with ntlm_auth.
As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth = "/usr/bin/ntlm_auth ..." command execution, but that don't work.
So... rather than following instruction,s you're trying random things.
How about running it in debugging mode, as suggested in the FAQ, "man" page, web pages, and daily on this list?
The reason we recommend it is that IT WORKS. If you're trying random nonsense, you're wasting your time, and ours.
So far I have tried adding two configurations inside "gtc" sub-section of eap.conf. Nothing else was touched. I did run in debug mode (with -XX) and I will capture the error later.
The reason I am asking the question of multiple challenges because I am currently evaluating another vendor solution for multi-factor authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2 additional inputs during authentication. Here is the link: https://www.duosecurity.com/docs/netmotion. I thought if they can do it, freeRadius can do it as well.
The issue is the EAP-GTC specification, and the clients. Last I recall, it didn't support multiple challenge-responses.
If it does, then it's possible to upgrade FreeRADIUS to do it. As always,
My understanding about RADIUS is that client sends AccessRequest and wait for either: AccessReject, AccessAccept, or AccessChallenge. If it gets AccessChallenge and later gets another AccessChallenge again, it will response, until it gets AccessAccept or AccessReject. The client that I am using is NetMotion Mobility XE. Thank you once again for your response. Apologize if I am wasting your time, not my intention.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Don wrote:
Nothing secret, as I said I tried both configuration (one at a time) inside "gtc" sub-section of eap.conf.
That's a problem. NOTHING in the documentation or examples says to do that. LOTS of documentation and examples give the CORRECT way to use ntlm_auth.
I did that, but that didn't work.
See the FAQ for "it doesn't work"
Perhaps I didn't configure the ntlm_auth module though there is modules/ntlm_auth created when I configured EAP-MSCHAPv2 with ntlm_auth.
Perhaps you could try following the examples on deployingradius.com, or the examples distributed with the server.
My understanding about RADIUS is that client sends AccessRequest and wait for either: AccessReject, AccessAccept, or AccessChallenge. If it gets AccessChallenge and later gets another AccessChallenge again, it will response, until it gets AccessAccept or AccessReject. The client that I am using is NetMotion Mobility XE.
Which is all useless and irrelevant. I asked about the EAP-GTC spec, not RADIUS.
Thank you once again for your response. Apologize if I am wasting your time, not my intention.
If you ask questions on this list, you need to follow the instructions we give. Doing anything else is rude. You've been very careful to say as little as possible about what you're doing. You've also been careful to NOT follow the documentation or examples. That explains why you're having issues making it work. Alan DeKok.
Alan, I finally made EAP-GTC using ntlm_auth to work. Basically my initial configuration inside "gtc" sub-section of raddb/eap.conf was correct and modifying raddb/modules/ntlm_auth from "%{mschap:User-Name}" to "%{User-Name}" was also correct. I can also use %{%{mschap:User-Name}:-%{User-Name}} that is also working fine and won't break mschap testing thru radtest. The problem lies somewhere else, in this case something inside file raddb/users where the following line was added when I configured freeRadius with EAP-MSCHAPv2 and testing it with radtest: DEFAULT Auth-Type := ntlm_auth Once I removed that line from raddb/users, EAP-GTC with ntlm_auth works. So, the "gtc" sub-section inside raddb/eap.conf is as follow: gtc { .... challenge = "Password: " .... .... auth_type = ntlm_auth } and raddb/modules/ntlm_auth content: exec ntlm_auth { wait yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{%{mschap:User-Name}:-%{User-Name}} --password=%{User-Password} } Again, thank you for all the supports. Regards, Dono On Fri, Sep 27, 2013 at 9:50 AM, Alan DeKok <aland@deployingradius.com>wrote:
Don wrote:
Nothing secret, as I said I tried both configuration (one at a time) inside "gtc" sub-section of eap.conf.
That's a problem. NOTHING in the documentation or examples says to do that. LOTS of documentation and examples give the CORRECT way to use ntlm_auth.
I did that, but that didn't work.
See the FAQ for "it doesn't work"
Perhaps I didn't configure the ntlm_auth module though there is modules/ntlm_auth created when I configured EAP-MSCHAPv2 with ntlm_auth.
Perhaps you could try following the examples on deployingradius.com, or the examples distributed with the server.
My understanding about RADIUS is that client sends AccessRequest and wait for either: AccessReject, AccessAccept, or AccessChallenge. If it gets AccessChallenge and later gets another AccessChallenge again, it will response, until it gets AccessAccept or AccessReject. The client that I am using is NetMotion Mobility XE.
Which is all useless and irrelevant. I asked about the EAP-GTC spec, not RADIUS.
Thank you once again for your response. Apologize if I am wasting your time, not my intention.
If you ask questions on this list, you need to follow the instructions we give. Doing anything else is rude.
You've been very careful to say as little as possible about what you're doing. You've also been careful to NOT follow the documentation or examples.
That explains why you're having issues making it work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Don