EAP-PEAP GTC vs MSCHAPv2

Alan DeKok aland at deployingradius.com
Fri Sep 27 15:34:32 CEST 2013


Don wrote:
> I tried one of these inside "gtc" sub-section of eap.conf, that don't
> seem to work:
>         auth_type = ntlm_auth

  Setting that *should* be one step of a working configuration.

> or
>         ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}"

  Set where?  You have been *very* vague about what you're doing.  Is it
a secret?

> Though I haven't tried replacing User-Password with Cleartext-Password.

  Don't do that.  Trying random things is *always* a bad idea.

> Do I have to place this under "gtc" sub-section inside inner-eap?

  No.  You have to configure the ntlm_auth module, and the ntlm_auth
sub-section of the "authenticate" section.  All of that is documented in
the deployingradius.com page.

> See my comment earlier. Did I place the configuration at the right
> sub-section?

  I have no idea.  You've been careful to say as little as possible, in
a manner which is as confusing as possible.

> Yes, I saw the ntlm_auth configuration under modules/mschap and
> modules/ntlm_auth. As stated in my first email, I am able to configure
> freeRadius to authenticate against our Active Directory using
> EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will
> work as well.

  It WILL work.  Just set "auth_type = ntlm_auth" in the gtc
configuration.  As I said.

> As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth
> = "/usr/bin/ntlm_auth ..." command execution, but that don't work.

  So... rather than following instruction,s you're trying random things.

  How about running it in debugging mode, as suggested in the FAQ, "man"
page, web pages, and daily on this list?

  The reason we recommend it is that IT WORKS.  If you're trying random
nonsense, you're wasting your time, and ours.

> The reason I am asking the question of multiple challenges because I am
> currently evaluating another vendor solution for multi-factor
> authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
> additional inputs during authentication. Here is the
> link: https://www.duosecurity.com/docs/netmotion. I thought if they can
> do it, freeRadius can do it as well.

  The issue is the EAP-GTC specification, and the clients.  Last I
recall, it didn't support multiple challenge-responses.

  If it does, then it's possible to upgrade FreeRADIUS to do it.  As
always,


More information about the Freeradius-Users mailing list