FW: How to send a challenge request via PEAP-GTC

ngoetz24 at gmail.com ngoetz24 at gmail.com
Wed Sep 11 22:11:52 CEST 2019

>On Sep 11, 2019, at 1:53 PM, <[hidden email]> <[hidden email]> wrote: 
>> Is it possible to send a challenge response to a user asking them to
enter a 
>> OPT (One Time Password) token using PEAP with GTC? 
> Read raddb/mods-available/eap.  There's a "gtc" subsection.  Which
contains a "challenge" parameter. 
> This is documented. 

I have the challenge parameter set, but the user never seems to get prompted
to enter their OTP password.  Not sure if I have it set correctly.  There is
what I have configured:


gtc {

                                #  The default challenge, which many clients

                                #  ignore..

                                challenge = "OTP Password: "


                                #  The plain-text response which comes back

                                #  is put into a User-Password attribute,

                                #  and passed to another module for

                                #  authentication.  This allows the EAP-GTC

                                #  response to be checked against

                                #  or crypt'd passwords.


                                #  If you say "Local" instead of "PAP", then

                                #  the module will look for a User-Password

                                #  configured for the request, and do the

                                #  authentication itself.


                                #auth_type = PAP

                                auth_type = ntlm_auth


>>  I have followed the 
>> documentation example and got this working with PAP, but our security
>> will not allow us to use PAP due to security concerns with the week 
>> encryption used by PAP.   

>  Your security team is wrong.  There are no known security issues with the
encryption scheme used by PAP. 

According to our security team, PAP uses a simple xor between the paasowrd
and the hashed value of the shared secret. According to them, this would
make it easy to decrypt the user passwords in intercepted packets.
Regardless if this is true or not, I don't think I will be able to get them
to approve us using PAP. This means I'm stuck using on of the other types.  

>> The problem I seem to be having is that when I use "challenge" in the 
>> authenticate section of the inner-tunnel configuration it seems to break
>> tunnel.  When I do this I get the following error message in the debug: 
>> eap: ERROR: Failed continuing EAP GTC (6) session.  EAP sub-module
>  Don't invent things.  Read the documentation. and configure the server as
>  Alan DeKok. 

I am trying to follow the documentation, but I couldn't find any examples of
how to do two factor authentication other then through PAP. I found a few
other posts that other users made who were having similar problems, but I
didn't see any replies where they were able to get it working or how they
did it.  I have read through the documentation contained in the various
config files and am doing my best to try an follow it, but I am having
issues understanding how to do the two-factor authentication through GTC.  I
have the first part of the authentication working where the user sends their
username and password and this gets passed through to ntlm_auth and
authenticated through active directory.  If the credentials are correct, the
user gets logged in without being requested for the second factor.    This
is why I was trying to send a challenge in the authenticate section since
this is how I got it to work with PAP. If I remove this from the config, the
error goes way, but the user gets authenticated without being promted for
the second credential.    This is what my authentication section looks like
with the challenge removed:

authenticate {

                Auth-Type PAP {




                Auth-Type MSCHAP {






                Auth-Type ntlm_auth {






I'm not sure what I am missing that is preventing the users from getting
prompted for the second factor.


More information about the Freeradius-Users mailing list