Re: EAP-PEAP GTC vs MSCHAPv2
Alan,
I finally made EAP-GTC using ntlm_auth to work. Basically my initial
configuration inside "gtc" sub-section of raddb/eap.conf was correct and
modifying raddb/modules/ntlm_auth from "%{mschap:User-Name}" to
"%{User-Name}" was also correct. I can also use
%{%{mschap:User-Name}:-%{User-Name}} that is also working fine and won't
break mschap testing thru radtest.
The problem lies somewhere else, in this case something inside file
raddb/users where the following line was added when I configured freeRadius
with EAP-MSCHAPv2 and testing it with radtest:
DEFAULT Auth-Type := ntlm_auth
Once I removed that line from raddb/users, EAP-GTC with ntlm_auth works.
So, the "gtc" sub-section inside raddb/eap.conf is as follow:
gtc {
challenge = "Password: "
auth_type = ntlm_auth
}
and raddb/modules/ntlm_auth content:
exec ntlm_auth {
wait yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{%{mschap:User-Name}:-%{User-Name}}
--password=%{User-Password}
}
Again, thank you for all the supports.
Regards,
Dono
On Fri, Sep 27, 2013 at 9:50 AM, Alan DeKok wrote:
> Don wrote:
> > Nothing secret, as I said I tried both configuration (one at a time)
> > inside "gtc" sub-section of eap.conf.
>
> That's a problem. NOTHING in the documentation or examples says to do
> that. LOTS of documentation and examples give the CORRECT way to use
> ntlm_auth.
>
> > I did that, but that didn't work.
>
> See the FAQ for "it doesn't work"
>
> > Perhaps I didn't configure the
> > ntlm_auth module though there is modules/ntlm_auth created when I
> > configured EAP-MSCHAPv2 with ntlm_auth.
>
> Perhaps you could try following the examples on deployingradius.com,
> or the examples distributed with the server.
>
> > My understanding about RADIUS is that client sends AccessRequest and
> > wait for either: AccessReject, AccessAccept, or AccessChallenge. If it
> > gets AccessChallenge and later gets another AccessChallenge again, it
> > will response, until it gets AccessAccept or AccessReject. The client
> > that I am using is NetMotion Mobility XE.
>
> Which is all useless and irrelevant. I asked about the EAP-GTC spec,
> not RADIUS.
>
> > Thank you once again for your response. Apologize if I am wasting your
> > time, not my intention.
>
> If you ask questions on this list, you need to follow the instructions
> we give. Doing anything else is rude.
>
> You've been very careful to say as little as possible about what
> you're doing. You've also been careful to NOT follow the documentation
> or examples.
>
> That explains why you're having issues making it work.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Don wrote: > Nothing secret, as I said I tried both configuration (one at a time) > inside "gtc" sub-section of eap.conf. That's a problem. NOTHING in the documentation or examples says to do that. LOTS of documentation and examples give the CORRECT way to use ntlm_auth. > I did that, but that didn't work. See the FAQ for "it doesn't work" > Perhaps I didn't configure the > ntlm_auth module though there is modules/ntlm_auth created when I > configured EAP-MSCHAPv2 with ntlm_auth. Perhaps you could try following the examples on deployingradius.com, or the examples distributed with the server. > My understanding about RADIUS is that client sends AccessRequest and > wait for either: AccessReject, AccessAccept, or AccessChallenge. If it > gets AccessChallenge and later gets another AccessChallenge again, it > will response, until it gets AccessAccept or AccessReject. The client > that I am using is NetMotion Mobility XE. Which is all useless and irrelevant. I asked about the EAP-GTC spec, not RADIUS. > Thank you once again for your response. Apologize if I am wasting your > time, not my intention. If you ask questions on this list, you need to follow the instructions we give. Doing anything else is rude. You've been very careful to say as little as possible about what you're doing. You've also been careful to NOT follow the documentation or examples. That explains why you're having issues making it work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
On Fri, Sep 27, 2013 at 6:34 AM, Alan DeKok wrote:
> Don wrote:
> > I tried one of these inside "gtc" sub-section of eap.conf, that don't
> > seem to work:
> > auth_type = ntlm_auth
>
> Setting that *should* be one step of a working configuration.
>
Ok, thank you for confirming that the above is one step towards working
configuration.
>
> > or
> > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}"
>
> Set where? You have been *very* vague about what you're doing. Is it
> a secret?
>
Nothing secret, as I said I tried both configuration (one at a time) inside
"gtc" sub-section of eap.conf.
>
> > Though I haven't tried replacing User-Password with Cleartext-Password.
>
> Don't do that. Trying random things is *always* a bad idea.
>
Thank you for confirming again. I won't change it in this case.
>
> > Do I have to place this under "gtc" sub-section inside inner-eap?
>
> No. You have to configure the ntlm_auth module, and the ntlm_auth
> sub-section of the "authenticate" section. All of that is documented in
> the deployingradius.com page.
>
> > See my comment earlier. Did I place the configuration at the right
> > sub-section?
>
> I have no idea. You've been careful to say as little as possible, in
> a manner which is as confusing as possible.
>
The two configurations mentioned earlier, I tried it both inside "gtc"
sub-section of eap.conf.
> > Yes, I saw the ntlm_auth configuration under modules/mschap and
> > modules/ntlm_auth. As stated in my first email, I am able to configure
> > freeRadius to authenticate against our Active Directory using
> > EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will
> > work as well.
>
> It WILL work. Just set "auth_type = ntlm_auth" in the gtc
> configuration. As I said.
>
I did that, but that didn't work. Perhaps I didn't configure the ntlm_auth
module though there is modules/ntlm_auth created when I configured
EAP-MSCHAPv2 with ntlm_auth.
>
> > As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth
> > = "/usr/bin/ntlm_auth ..." command execution, but that don't work.
>
> So... rather than following instruction,s you're trying random things.
>
> How about running it in debugging mode, as suggested in the FAQ, "man"
> page, web pages, and daily on this list?
>
> The reason we recommend it is that IT WORKS. If you're trying random
> nonsense, you're wasting your time, and ours.
>
So far I have tried adding two configurations inside "gtc" sub-section of
eap.conf. Nothing else was touched. I did run in debug mode (with -XX) and
I will capture the error later.
>
> > The reason I am asking the question of multiple challenges because I am
> > currently evaluating another vendor solution for multi-factor
> > authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
> > additional inputs during authentication. Here is the
> > link: https://www.duosecurity.com/docs/netmotion. I thought if they can
> > do it, freeRadius can do it as well.
>
> The issue is the EAP-GTC specification, and the clients. Last I
> recall, it didn't support multiple challenge-responses.
>
> If it does, then it's possible to upgrade FreeRADIUS to do it. As
> always,
>
My understanding about RADIUS is that client sends AccessRequest and wait
for either: AccessReject, AccessAccept, or AccessChallenge. If it gets
AccessChallenge and later gets another AccessChallenge again, it will
response, until it gets AccessAccept or AccessReject. The client that I am
using is NetMotion Mobility XE.
Thank you once again for your response. Apologize if I am wasting your
time, not my intention.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Don wrote:
> I tried one of these inside "gtc" sub-section of eap.conf, that don't
> seem to work:
> auth_type = ntlm_auth
Setting that *should* be one step of a working configuration.
> or
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}"
Set where? You have been *very* vague about what you're doing. Is it
a secret?
> Though I haven't tried replacing User-Password with Cleartext-Password.
Don't do that. Trying random things is *always* a bad idea.
> Do I have to place this under "gtc" sub-section inside inner-eap?
No. You have to configure the ntlm_auth module, and the ntlm_auth
sub-section of the "authenticate" section. All of that is documented in
the deployingradius.com page.
> See my comment earlier. Did I place the configuration at the right
> sub-section?
I have no idea. You've been careful to say as little as possible, in
a manner which is as confusing as possible.
> Yes, I saw the ntlm_auth configuration under modules/mschap and
> modules/ntlm_auth. As stated in my first email, I am able to configure
> freeRadius to authenticate against our Active Directory using
> EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will
> work as well.
It WILL work. Just set "auth_type = ntlm_auth" in the gtc
configuration. As I said.
> As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth
> = "/usr/bin/ntlm_auth ..." command execution, but that don't work.
So... rather than following instruction,s you're trying random things.
How about running it in debugging mode, as suggested in the FAQ, "man"
page, web pages, and daily on this list?
The reason we recommend it is that IT WORKS. If you're trying random
nonsense, you're wasting your time, and ours.
> The reason I am asking the question of multiple challenges because I am
> currently evaluating another vendor solution for multi-factor
> authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
> additional inputs during authentication. Here is the
> link: https://www.duosecurity.com/docs/netmotion. I thought if they can
> do it, freeRadius can do it as well.
The issue is the EAP-GTC specification, and the clients. Last I
recall, it didn't support multiple challenge-responses.
If it does, then it's possible to upgrade FreeRADIUS to do it. As
always,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
