EAP-PEAP GTC auth_type

Fajar A. Nugraha fajar at fajar.net
Sat Feb 28 15:01:00 CET 2009

On Fri, Feb 27, 2009 at 9:54 PM,  <tnt at kalik.net> wrote:
>>The thing that I don't get yet is why on normal radius packet (without
>>PEAP-GTC) I don't have to set Auth-Type explicitly, yet the ldap
>>module can use either user password stored in LDAP or bind as user.
>>With gtc on the other hand, I have to FORCE gtc to use Auth-Type LDAP.
> RFC: "The EAP GTC method is intended
>      for use with the Token Cards supporting challenge/response
>      authentication and MUST NOT be used to provide support for
>      cleartext passwords in the absence of a protected tunnel with
>      server authentication."

Let me rephrase my question to several different parts :
(1) eap.conf says

                #  Generic Token Card.
                #  Currently, this is only permitted inside of EAP-TTLS,
                #  or EAP-PEAP.  The module "challenges" the user with
                #  text, and the response from the user is taken to be
                #  the User-Password.

I take it that means EAP-PEAP (as well ass EAP-TTLS) provides
protected tunnel already, and as such when used in PEAP-GTC, it may be
used to provide support for cleartext password. Is my interpretation

(2) What is the difference (security-wise) between setting auth-type
PAP and LDAP within PEAP-GTC, since both have clear-text passwords
inside the GTC tunnel?

(3) Why is the authorize/authentication combo beahvior between main
radiusd.conf and inner-tunnel different with regards to LDAP bind as
user? Is it :
a. Design choice (e.g programmers choice, or to comply with RFP or
other standards), or
b. A bug

More information about the Freeradius-Users mailing list