EAP-GTC configuration
Alan DeKok
aland at deployingradius.com
Thu Jul 24 13:57:21 CEST 2014
Levavi, Yariv wrote:
> We are configuring EAP-GTC in our FreeRADIUS environment (please note
> that SAS is our authentication server):
There's no need to post huge diagrams to the list. We're already
aware of how EAP works.
> 1) Do you happen to know how do we obtain the plain password
> provided in the first Access Response message?
There is no plain-text password in the first message. Perhaps you
could look at the debug output to see what's going on.
> 2) The PEAP (which is actually a freeRadius instance) is currently
> configured is to work to proxy all access requests. This is done by
> setting the “users” configuration file redirect every incoming access
> request (DEFAULT FreeRADIUS-Proxied-to == 127.0.0.1, Proxy-to-Realm :=
> DEFAULT). Do you know if there is way to apply redirection upon demand
> (in our case we would like to handle the first access request locally by
> verifying the username and password against the AD and redirect only the
> second access request, containing the user’s OTP).
Yes. Write "unlang" statements to check for a condition, and then
forward only if the condition is met.
If you want a more specific answer, you'll have to ask a more specific
question.
> 3) The OTP in the second access request is provided as a plain text
> (over ssl). Is there any way we proxy it to freeRadius agent in a secure
> way (e.g. MSCHAP2)?
No. Proxying EAP-GTC is a bad idea. Don't do it.
> 4) Do you have any good references for freeRadius configuration docs?
FreeRADIUS comes with a lot of documentation. Do you have a specific
question?
There's also a start at full documentation here:
http://networkradius.com/doc/
Alan DeKok.
More information about the Freeradius-Users
mailing list