EAP-PEAP GTC auth_type

tnt at kalik.net tnt at kalik.net
Sat Feb 28 16:12:07 CET 2009

>I take it that means EAP-PEAP (as well ass EAP-TTLS) provides
>protected tunnel already, and as such when used in PEAP-GTC, it may be
>used to provide support for cleartext password. Is my interpretation

Yes. But you (ie. server) don't have a password (clear or encrypted) for

>(2) What is the difference (security-wise) between setting auth-type
>PAP and LDAP within PEAP-GTC, since both have clear-text passwords
>inside the GTC tunnel?


>(3) Why is the authorize/authentication combo beahvior between main
>radiusd.conf and inner-tunnel different with regards to LDAP bind as
>user? Is it :
>a. Design choice (e.g programmers choice, or to comply with RFP or
>other standards), or
>b. A bug

It's not. You have to tell GTC what authentication method to use. That
is than set in the configuration file and can't be changed during
request processing. If you leave the server to set the auth method ...
If you would force DEFAULT   Auth-Type := System in users file, ldap
"bind as user" wouldn't work. If you put LDAP, system passwords
won't work. That is in essence what GTC does.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list