>I take it that means EAP-PEAP (as well ass EAP-TTLS) provides >protected tunnel already, and as such when used in PEAP-GTC, it may be >used to provide support for cleartext password. Is my interpretation >correct? >
Yes. But you (ie. server) don't have a password (clear or encrypted) for matching. >(2) What is the difference (security-wise) between setting auth-type >PAP and LDAP within PEAP-GTC, since both have clear-text passwords >inside the GTC tunnel? > None. >(3) Why is the authorize/authentication combo beahvior between main >radiusd.conf and inner-tunnel different with regards to LDAP bind as >user? Is it : >a. Design choice (e.g programmers choice, or to comply with RFP or >other standards), or >b. A bug It's not. You have to tell GTC what authentication method to use. That is than set in the configuration file and can't be changed during request processing. If you leave the server to set the auth method ... If you would force DEFAULT Auth-Type := System in users file, ldap "bind as user" wouldn't work. If you put LDAP, system passwords won't work. That is in essence what GTC does. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
