Rolling out 802.1x with GTC

By ozerdo posted Nov 11, 2011 08:16 PM



Anyone roll out WAP2 802.1x with support only for EAP-GTC ( and forgetting about MSCHAP ?) and are happy about it ?
- MSCHAP for us is looking like too big of a hurlte...
- Wanting to use MSCHAP because of windows native support
The EAP-GTC works just fine, It's just client support can be tricky at times.


There are quite a number of users that use GTC because they have LDAP and they want to do encryption. This involves using EAP-GTC as the inner EAP type and installing a GTC supplicant like Odyssey or SecureW2 on clients. Most of these users are in higher education. One of your biggest issues is training your helpdesk to install and troubleshoot these clients.

If you wanted to allow users to use their native supplicant and do EAP-MSChapV2, you would have to make sure that your LDAP tree or structure uses passwords that are in cleartext or NTLM-hashed ( When you do this, you can use Freeradius to authenticate users with MSChapV2 and their native supplicants. There are a number of ways to do this and it normally results in all users having to change their passwords if you change the hash. An alternate method is have a password change mechanism that when users change their password, it writes the new password to both LDAP and Active Directory. When you get that working, you can then authenticate users against Active Directory with their native supplicants using Internet Authentication Server.