EAP-PEAP GTC auth_type
Fajar A. Nugraha
fajar at fajar.net
Sat Feb 28 15:01:00 CET 2009
On Fri, Feb 27, 2009 at 9:54 PM, <tnt at kalik.net> wrote:
>>The thing that I don't get yet is why on normal radius packet (without
>>PEAP-GTC) I don't have to set Auth-Type explicitly, yet the ldap
>>module can use either user password stored in LDAP or bind as user.
>>With gtc on the other hand, I have to FORCE gtc to use Auth-Type LDAP.
> RFC: "The EAP GTC method is intended
> for use with the Token Cards supporting challenge/response
> authentication and MUST NOT be used to provide support for
> cleartext passwords in the absence of a protected tunnel with
> server authentication."
Let me rephrase my question to several different parts :
(1) eap.conf says
# Generic Token Card.
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
I take it that means EAP-PEAP (as well ass EAP-TTLS) provides
protected tunnel already, and as such when used in PEAP-GTC, it may be
used to provide support for cleartext password. Is my interpretation
(2) What is the difference (security-wise) between setting auth-type
PAP and LDAP within PEAP-GTC, since both have clear-text passwords
inside the GTC tunnel?
(3) Why is the authorize/authentication combo beahvior between main
radiusd.conf and inner-tunnel different with regards to LDAP bind as
user? Is it :
a. Design choice (e.g programmers choice, or to comply with RFP or
other standards), or
b. A bug
More information about the Freeradius-Users