EAP-TTLS-PAP Doesn't send Clear-Password to proxy-innter-tunnel
aland at deployingradius.com
Wed Aug 3 19:12:23 CEST 2016
On Aug 3, 2016, at 11:39 AM, Mehran Meidani <m.meidani at me.com> wrote:
> I have a home server which only supports pap. FreeRADIUS were configured to establish eap-ttls-pap and then proxy the inner request to my home server. Although It configured to use pap but it doesn’t send user clear-text-password to my home server.
You don't configure FreeRADIUS to use PAP. You configure the EAP supplicant (Windows PC, iPhone, etc.) to do TTLS + PAP.
> Here is the output of freeradius -X:
As always, reading it helps.
> (5) eap_ttls: Session established. Proceeding to decode tunneled attributes
> (5) eap_ttls: Got tunneled request
> (5) eap_ttls: EAP-Message = 0x0200001b016e6564612e64697673616c61724075742e61632e6972
> (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
> (5) eap_ttls: Got tunneled identity of neda.divsalar at ut.ac.ir
> (5) eap_ttls: Sending tunneled request
> (5) Virtual server proxy-inner-tunnel received request
> (5) EAP-Message = 0x0200001b016e6564612e64697673616c61724075742e61632e6972
> (5) FreeRADIUS-Proxied-To = 127.0.0.1
> (5) User-Name = "neda.divsalar at ut.ac.ir"
See? No User-Password inside of the tunnel.
The supplicant is configured to do EAP inside of the TTLS tunnel.
Fix the supplicant so that it does PAP.
No amount of poking FreeRADIUS will make this work.
More information about the Freeradius-Users