freeradius with EAP-TTLS and PAP auth

Mathieu Geli geli at
Wed Aug 3 11:14:29 CEST 2005

Hi folks,

I'm trying to configure freeradius to authenticate users through a TTLS tunnel witth PA
authentication scheme. Xsupplicant has been configured like :

   allow_types = eap_ttls
   eap-ttls {
      root_cert      = /etc/xsupplicant/tls/ca_cert.pem
      phase2_type = pap
      pap {
        username = <BEGIN_UNAME>testuser<END_UNAME>
        password = <BEGIN_PASS>testpass<END_PASS>

subsequently for freeradius, I enabled in radius.conf the pap module :
	pap {
		encryption_scheme = md5
(tried also crypt and clear options without any success)

But I do not see anything in eap.conf like ttls { ... pap { ... } }
(the interesting part is the pap *inside* the ttls part)
So I tried to enable PAP directly in radiusd.conf authenticate part :

authenticate {
	Auth-Type PAP {		

And forces (even if I encountered several times that may not be done like that) in the users conf :
testuser Auth-Type := PAP, User-Password == "testpass"
and also tested EAP, and not specifying the Auth-Type (which then fallback to the System
module and obviously fail)

With EAP the error I get is :

  rlm_eap: EAP-Message not found
  rlm_eap: Malformed EAP Message

(xsupplicant and freeradius are apparently not talking the same language)

With PAP :

    rad_check_password:  Found Auth-Type PAP
  auth: type "PAP"
    Processing the authenticate section of radiusd.conf
  modcall: entering group Auth-Type for request 0
  rlm_pap: Attribute "Password" is required for authentication.
    modcall[authenticate]: module "pap" returns invalid for request 0
  modcall: group Auth-Type returns invalid for request 0
  auth: Failed to validate the user

(also tested to put 'Password' instead of 'User-Password' directive, still the same error.)

Without Auth-Type :

    rad_check_password:  Found Auth-Type System
  auth: type "System"
    Processing the authenticate section of radiusd.conf
  modcall: entering group authenticate for request 5
  rlm_unix: [testuser]: invalid password

I'm maybe trying to test something that is not still finished ?
By the way MD5 over TTLS works fine, tested with secureW2 WInXP supplicant.
(Seems that xsupplicant does not support md5 as TTLS phase2)

Thanks for your support !


More information about the Freeradius-Users mailing list