rlm_eap_gtc

Synopsis

The eap_gtc module implements EAP-GTC authentication. It is a submodule of eap and cannot be used on its own.

GTC stands for Generic Token Card. The intent is to permit the use of challenge-response token cards with EAP. The challenge and the response are sent in the clear, which means that they are visible to anyone who can monitor the wireless or wired network traffic. Therefore, this module should only be inside of an EAP-TTLS or an EAP-PEAP tunnel. The TLS tunnel will protect the challenge and response from eavesdroppers.

It is not recommended to proxy the inner-tunnel EAP-GTC information. Doing so would negate the security of using either EAP-TTLS or EAP-PEAP

The module challenges the user with a fixed text string and looks for a response from the user. When the module sees the user’s response, it puts the response into a User-Password attribute. Another module is then called to validate the password.

Processing Sections

None.

Expansions

None.

Directives

auth_type
Syntax

auth_type = local | PAP | …​

Default

PAP

Description

The module that will perform the User-Password authentication for the user. The user’s response is put into a User-Password attribute and passed to another module for authentication.

If the word local is used instead of PAP, the module will look for control:Cleartext-Password and will perform a string comparison with the user’s response.

challenge
Syntax

challenge = string

Default

Password:

Description

The default challenge. Many clients will ignore this challenge and may not even show it to the user.