EAP-GTC configuration

Alan DeKok aland at deployingradius.com
Thu Jul 24 13:57:21 CEST 2014

Levavi, Yariv wrote:
> We are configuring EAP-GTC in our FreeRADIUS environment (please note
> that SAS is our authentication server):

  There's no need to post huge diagrams to the list.  We're already
aware of how EAP works.

> 1)      Do you happen to know how do we obtain the plain password
> provided in the first Access Response message?

  There is no plain-text password in the first message.  Perhaps you
could look at the debug output to see what's going on.

> 2)      The PEAP (which is actually a freeRadius instance) is currently
> configured is to work to proxy all access requests. This is done by
> setting the “users” configuration file redirect every incoming access
> request (DEFAULT FreeRADIUS-Proxied-to ==, Proxy-to-Realm :=
> DEFAULT). Do you know if there is way to apply redirection upon demand
> (in our case we would like to handle the first access request locally by
> verifying the username and password against the AD and redirect only the
> second access request, containing the user’s OTP).

  Yes.  Write "unlang" statements to check for a condition, and then
forward only if the condition is met.

  If you want a more specific answer, you'll have to ask a more specific

> 3)      The OTP in the second access request is provided as a plain text
> (over ssl). Is there any way we proxy it to freeRadius agent in a secure
> way (e.g. MSCHAP2)?

  No.  Proxying EAP-GTC is a bad idea.  Don't do it.

> 4)      Do you have any good references for freeRadius configuration docs?

  FreeRADIUS comes with a lot of documentation.  Do you have a specific

  There's also a start at full documentation here:


  Alan DeKok.

More information about the Freeradius-Users mailing list