How to send a challenge request via PEAP-GTC

Alan DeKok aland at
Wed Sep 11 20:38:08 CEST 2019

On Sep 11, 2019, at 1:53 PM, <ngoetz24 at> <ngoetz24 at> wrote:
> Is it possible to send a challenge response to a user asking them to enter a
> OPT (One Time Password) token using PEAP with GTC?

  Read raddb/mods-available/eap.  There's a "gtc" subsection.  Which contains a "challenge" parameter.

  This is documented.

>  I have followed the
> documentation example and got this working with PAP, but our security team
> will not allow us to use PAP due to security concerns with the week
> encryption used by PAP.  

  Your security team is wrong.  There are no known security issues with the encryption scheme used by PAP.

> The problem I seem to be having is that when I use "challenge" in the
> authenticate section of the inner-tunnel configuration it seems to break the
> tunnel.  When I do this I get the following error message in the debug:
> eap: ERROR: Failed continuing EAP GTC (6) session.  EAP sub-module failed.

  Don't invent things.  Read the documentation. and configure the server as documented.

  Alan DeKok.

More information about the Freeradius-Users mailing list