pubkey-auth, EAP-GTC

Alan DeKok aland at
Tue Oct 22 22:07:49 CEST 2019

On Oct 22, 2019, at 3:55 PM, dev at wrote:
> we want to use public-key-authentication with WPA2.

  I'm not clear what that means.

> the appropriate method to use seems to be EAP-GTC (plain, nothing around it needed).

  Except that EAP-GTC does not provide for the EAP MSK which is required for WPA2 enterprise to work.  You MUST use an EAP method that generates an MSK.


  But not EAP-GTC or EAP-MD5.

> this (site config):
> authorize {
>        update control {
>                Auth-Type := `query-user-pubkey_decrypt-challenge_compare.script '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}' '%{Challenge}'`
>        } 
> }
> (with script returnig Accept or Reject) seems to work in general. first problem is that %{challenge} (or %{Challenge} or %{Access-Challenge}) seems not to expand to the challenge - what's the challenge's variable name?

  Do you mean the EAP-GTC challenge sent to the end user?  If so, it isn't in any variable.  If it was, it would be documented.

> the second problem is: how can the challenge be set dynamically? setting "challenge" in eap{gtc{}} to a script using `` does not work.
> anybody with hints on this?

  You can't set the challenge dynamically.

  Patches are welcome.

  Alan DeKok.

More information about the Freeradius-Users mailing list