freeradius with EAP-TTLS and PAP auth
Stefan.Neis at t-online.de
Stefan.Neis at t-online.de
Wed Aug 3 12:55:07 CEST 2005
Hi,
> And forces (even if I encountered several times that may not be done like that) in the users conf :
> testuser Auth-Type := PAP, User-Password == "testpass"
> and also tested EAP,
Don't. FreeRadius typically treats EAP-Requests as _two_ requests. It handles the EAP stuff
and then generates a new request for the stuff that's contained in the tunnel (e.g. PAP) and
sends that to itself. So, if you force Auth-Type to either EAP or PAP unconditionally, either
the "inner" (PAP) or the outer (EAP) protocol cannot be handled.
> and not specifying the Auth-Type (which then fallback to the System
> module and obviously fail)
Now, that's a problem...
> Without Auth-Type :
>
> rad_check_password: Found Auth-Type System
> auth: type "System"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 5
> rlm_unix: [testuser]: invalid password
Apparently, it can't find a password (cleartext or uncrypted) for the user, so it falls
back to Auth-Type System. Try to get PAP authentication working by itself, first, i.e.
just use radtest to send username/password combinations to the server and fix their
handling. Once that works, EAP-TTLS with PAP should work as well.
HTH,
Stefan
More information about the Freeradius-Users
mailing list