freeradius with EAP-TTLS and PAP auth
Mathieu Geli
geli at enseirb.fr
Wed Aug 3 12:48:02 CEST 2005
> Don't. FreeRadius typically treats EAP-Requests as _two_ requests. It handles the EAP stuff
> and then generates a new request for the stuff that's contained in the tunnel (e.g. PAP) and
> sends that to itself. So, if you force Auth-Type to either EAP or PAP unconditionally, either
> the "inner" (PAP) or the outer (EAP) protocol cannot be handled.
you are probably right, I definitly will avoid forcing Auth-Type and let freeradius do the job.
> Apparently, it can't find a password (cleartext or uncrypted) for the user, so it falls
> back to Auth-Type System. Try to get PAP authentication working by itself, first, i.e.
> just use radtest to send username/password combinations to the server and fix their
> handling. Once that works, EAP-TTLS with PAP should work as well.
You pointed it out. Actually I just had to *comment out* (or force Auth-Type := PAP) :
DEFAULT Auth-Type = System
Fall-Through = 1
which was earlier defined in the users file.
And stay with the simple :
"testuser" Password == "testpass"
The proxy works also like a charm if you take care to add in the proxy.conf, in the realm definition : 'nostrip'
(got that stupid error about "Identity does not match User-Name, setting from EAP Identity" for a while)
So thanks for the quick reply Stefan !
--
Mathieu
More information about the Freeradius-Users
mailing list