On Fri, Sep 27, 2013 at 6:34 AM, Alan DeKok <al...@deployingradius.com>wrote:
> Don wrote:
> > I tried one of these inside "gtc" sub-section of eap.conf, that don't
> > seem to work:
> > auth_type = ntlm_auth
>
> Setting that *should* be one step of a working configuration.
>
Ok, thank you for confirming that the above is one step towards working
configuration.
>
> > or
> > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}"
>
> Set where? You have been *very* vague about what you're doing. Is it
> a secret?
>
Nothing secret, as I said I tried both configuration (one at a time) inside
"gtc" sub-section of eap.conf.
>
> > Though I haven't tried replacing User-Password with Cleartext-Password.
>
> Don't do that. Trying random things is *always* a bad idea.
>
Thank you for confirming again. I won't change it in this case.
>
> > Do I have to place this under "gtc" sub-section inside inner-eap?
>
> No. You have to configure the ntlm_auth module, and the ntlm_auth
> sub-section of the "authenticate" section. All of that is documented in
> the deployingradius.com page.
>
> > See my comment earlier. Did I place the configuration at the right
> > sub-section?
>
> I have no idea. You've been careful to say as little as possible, in
> a manner which is as confusing as possible.
>
The two configurations mentioned earlier, I tried it both inside "gtc"
sub-section of eap.conf.
> > Yes, I saw the ntlm_auth configuration under modules/mschap and
> > modules/ntlm_auth. As stated in my first email, I am able to configure
> > freeRadius to authenticate against our Active Directory using
> > EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will
> > work as well.
>
> It WILL work. Just set "auth_type = ntlm_auth" in the gtc
> configuration. As I said.
>
I did that, but that didn't work. Perhaps I didn't configure the ntlm_auth
module though there is modules/ntlm_auth created when I configured
EAP-MSCHAPv2 with ntlm_auth.
>
> > As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth
> > = "/usr/bin/ntlm_auth ..." command execution, but that don't work.
>
> So... rather than following instruction,s you're trying random things.
>
> How about running it in debugging mode, as suggested in the FAQ, "man"
> page, web pages, and daily on this list?
>
> The reason we recommend it is that IT WORKS. If you're trying random
> nonsense, you're wasting your time, and ours.
>
So far I have tried adding two configurations inside "gtc" sub-section of
eap.conf. Nothing else was touched. I did run in debug mode (with -XX) and
I will capture the error later.
>
> > The reason I am asking the question of multiple challenges because I am
> > currently evaluating another vendor solution for multi-factor
> > authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
> > additional inputs during authentication. Here is the
> > link: https://www.duosecurity.com/docs/netmotion. I thought if they can
> > do it, freeRadius can do it as well.
>
> The issue is the EAP-GTC specification, and the clients. Last I
> recall, it didn't support multiple challenge-responses.
>
> If it does, then it's possible to upgrade FreeRADIUS to do it. As
> always,
>
My understanding about RADIUS is that client sends AccessRequest and wait
for either: AccessReject, AccessAccept, or AccessChallenge. If it gets
AccessChallenge and later gets another AccessChallenge again, it will
response, until it gets AccessAccept or AccessReject. The client that I am
using is NetMotion Mobility XE.
Thank you once again for your response. Apologize if I am wasting your
time, not my intention.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
