EAP-TTLS w/MS-CHAPv2
Alan DeKok
aland at deployingradius.com
Wed May 21 19:21:26 CEST 2008
Bram Matthys (Syzop) wrote:
> I'm using FreeRadius 2.0.3. I've seen several tutorials regarding
> Freeradius
> 1, which help, but they are a bit outdated, and are often using a different
> authentication method or protocol (like PEAP).
TTLS with MS-CHAP2 is 99% like PEAP.
> I've verified ntlm_auth works on the command line.
> I've been following (among others)
> http://deployingradius.com/documents/configuration/active_directory.html
...
> Once this passed (i tested with radtest), I commented out both, because it
> was only for testing.
Yes.
> Side note..I had set 'wait = no' previously, due to the tutorial mentioning
> that, but then the password was always correct even if I provided an
> incorrect one.
Fixed, thanks.
> I've also been reading
> http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO by
> the way, and while it did help they use PEAP (w/mschapv2) so hmm.
It should be the same.
> Anyway, back on track:
> I've taken the default radius configuration files (as of v2.0.3), and
> editted them..
You should use 2.0.4, for a number of reasons.
...
> ttls {
> default_eap_type = mschapv2
Are you using EAP-MSCHAPv2, or MS-CHAPv2? See the comments above this
configuration entry in the default eap.conf file.
...
You'll also need a raddb/sites-enabled/inner-tunnel file. It's not
installed in 2.0.3. This was fixed in 2.0.4.
> This is what I get using the 'rad_eap_test' tool.. since i'm working
> remotely I cannot use securew2 at the moment (if someone has another
> suggestion on how to check eap ttls w/mschapv2, let me know..
eapol_test, which comes with wpa_supplicant.
Install 2.0.4, which should help.
Alan DeKok.
More information about the Freeradius-Users
mailing list