EAP-PEAP GTC vs MSCHAPv2

Don petaluma007 at gmail.com
Fri Sep 27 23:34:50 CEST 2013 

Alan,

I finally made EAP-GTC using ntlm_auth to work. Basically my initial
configuration inside "gtc" sub-section of raddb/eap.conf was correct and
modifying raddb/modules/ntlm_auth from "%{mschap:User-Name}" to
"%{User-Name}" was also correct. I can also use
%{%{mschap:User-Name}:-%{User-Name}} that is also working fine and won't
break mschap testing thru radtest.

The problem lies somewhere else, in this case something inside file
raddb/users where the following line was added when I configured freeRadius
with EAP-MSCHAPv2 and testing it with radtest:
DEFAULT      Auth-Type := ntlm_auth

Once I removed that line from raddb/users, EAP-GTC with ntlm_auth works.
So, the "gtc" sub-section inside raddb/eap.conf is as follow:

gtc {
    ....
    challenge = "Password: "
    ....
    ....
    auth_type = ntlm_auth
}

and raddb/modules/ntlm_auth content:

exec ntlm_auth {
    wait yes
    program = "/usr/bin/ntlm_auth --request-nt-key  --domain=MYDOMAIN
 --username=%{%{mschap:User-Name}:-%{User-Name}}
 --password=%{User-Password}
}

Again, thank you for all the supports.


Regards,
Dono

On Fri, Sep 27, 2013 at 9:50 AM, Alan DeKok <aland at deployingradius.com>wrote:

> Don wrote:
> > Nothing secret, as I said I tried both configuration (one at a time)
> > inside "gtc" sub-section of eap.conf.
>
>   That's a problem.  NOTHING in the documentation or examples says to do
> that.  LOTS of documentation and examples give the CORRECT way to use
> ntlm_auth.
>
> > I did that, but that didn't work.
>
>   See the FAQ for "it doesn't work"
>
> > Perhaps I didn't configure the
> > ntlm_auth module though there is modules/ntlm_auth created when I
> > configured EAP-MSCHAPv2 with ntlm_auth.
>
>   Perhaps you could try following the examples on deployingradius.com,
> or the examples distributed with the server.
>
> > My understanding about RADIUS is that client sends AccessRequest and
> > wait for either: AccessReject, AccessAccept, or AccessChallenge. If it
> > gets AccessChallenge and later gets another AccessChallenge again, it
> > will response, until it gets AccessAccept or AccessReject. The client
> > that I am using is NetMotion Mobility XE.
>
>   Which is all useless and irrelevant.  I asked about the EAP-GTC spec,
> not RADIUS.
>
> > Thank you once again for your response. Apologize if I am wasting your
> > time, not my intention.
>
>   If you ask questions on this list, you need to follow the instructions
> we give.  Doing anything else is rude.
>
>   You've been very careful to say as little as possible about what
> you're doing.  You've also been careful to NOT follow the documentation
> or examples.
>
>   That explains why you're having issues making it work.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130927/03d0aeb6/attachment-0001.html>

More information about the Freeradius-Users mailing list