EAP-PEAP GTC auth_type

tnt at kalik.net tnt at kalik.net
Fri Feb 27 15:54:55 CET 2009

>The LDAP server I'm authenticating against is Lotus Domino, which
>stores user password in a Lotus-specific encryption. The only way to
>use freeradius to authenticate against it is with "bind as user".

Talk about "painting yourself into a corner".

>The thing that I don't get yet is why on normal radius packet (without
>PEAP-GTC) I don't have to set Auth-Type explicitly, yet the ldap
>module can use either user password stored in LDAP or bind as user.
>With gtc on the other hand, I have to FORCE gtc to use Auth-Type LDAP.

RFC: "The EAP GTC method is intended
      for use with the Token Cards supporting challenge/response
      authentication and MUST NOT be used to provide support for
      cleartext passwords in the absence of a protected tunnel with
      server authentication."

>I was hoping that with gtc set to pap the inner-tunnel can use
>multiple modules to authenticate, including bind as user when using


Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list