Using privacyIDEA to authenticate to WiFi with 2FA/Token

Sat Nov 26 13:02:19 CET 2016

Hi guys,

I have a running setup with privacyIDEA to authenticate VPN users via Token.
There's a perl module redirecting the token stuff to the local webserver 
doing their magic.
In order to to run this setup I have to set Default Auth Type to perl in 
users file.

Now I have a customer asking to extend WiFi security with tokens.
My thought was no big deal, but there's EAP! :)

After some google it was clear to use TTLS and PAP. First problem, when 
I setup my AP's for radius and Default Auth is perl, EAP won't get called.
OK, then I set Default Auth to EAP and bang, EAP starts and everything 
seems to run fine in inner-tunnel.
But then I want to bump perl in authenticate section to give the request 
to the webserver.
What now happens is, that perl won't get recognized and instead again 
Defaut Auth is chosen and it tries to do MD5.
I played around with ttls and md or gtc, inserted perl in authorized 
section and so on, nothing worked.

Enclosed is a (huge) debug, hoping that someone has a clue whats going 
on (comments inline):

--> Initial request
rad_recv: Access-Request packet from host ip port 57736, id=87, length=153
         User-Name = "user"
         NAS-IP-Address = ip
         NAS-Port = 0
         Called-Station-Id = "BC-16-F5-DB-57-F0:SSID"
         Calling-Station-Id = "30-3A-64-D8-D2-13"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 0x0200000a016d75656e7a
         Message-Authenticator = 0x360bad25b59c6c79d36ab8f73531836e
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry DEFAULT at line 205
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] = noop

--> perl in authorize, normally not needed (was a test)
rlm_perl: Added pair EAP-Message = 0x0200000a016d75656e7a
rlm_perl: Added pair Calling-Station-Id = 30-3A-64-D8-D2-13
rlm_perl: Added pair NAS-IP-Address = ip
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair Message-Authenticator = 
0x360bad25b59c6c79d36ab8f73531836e
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Connect-Info = CONNECT 0Mbps 802.11a
rlm_perl: Added pair User-Name = user
rlm_perl: Added pair Called-Station-Id = BC-16-F5-DB-57-F0:SSID
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Auth-Type = EAP
++[perl] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 87 to ip port 57736
         EAP-Message = 0x010100061520
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x78771f5678760a3d6495143e099646c4
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip port 57736, id=88, length=470
         User-Name = "user"
         NAS-IP-Address = ip
         NAS-Port = 0
         Called-Station-Id = "BC-16-F5-DB-57-F0:SSID"
         Calling-Station-Id = "30-3A-64-D8-D2-13"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 
0x02010133150016030101280100012403035469c1888d984c755f09fa127b5a4fd73d3f5e3d76dd0492e39691ff0acbcca10000aac030c02cc028c024c014c00a00a500a300a1009f700860085c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a400a200a0009e00670040003f003e0033003200310030009a0099009800970045004400430042c031c02dc029c020cc00200050004c012c008001600130010000dc00dc003000a00ff01000051000b000403000102000a001c001a00170019001c001b0018001a00
         EAP-Message = 
0x16000e000d000b000c0009000a000d0020001e060106020603050105020503040104020403030103020303020102020203000f000101
         State = 0x78771f5678760a3d6495143e099646c4
         Message-Authenticator = 0xa2dcbc0456f99c4088c081ea40caa72f
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 253
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls

--> OK, going for ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0128], ClientHello
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 003e], ServerHello
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 02d4], Certificate
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state

--> is this OK?
[ttls]     TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 88 to ip port 57736
         EAP-Message = 
0x0102040015c000000475160301003e0200003a0301fb61a70bc00f4f72254a4961295db23a021ab31db031a2ec5e30f09766eeb92500c014000012ff01000100000b000403000102a308202c6308201aea003020102020900f42e74c60803a393300d06092a864886f70d01010b0500301b3119301706035504030c106f74702e6d627261756e2e6c6f6b616c301e170d3136313132323135323532319301706035504030c106f74702e6d627261756e2e6c6f6b616c30820122300d06092a864886f70d01010105000382010f003082010a02820101
         EAP-Message = 
0x00c2d539f913b49bddf44e1896b3664ef5414c1e58a0c1263f9c39e0ff204987c19cae285e655970bc06cd5d418e344b24e13cc25fcedfe44b0dceb07563b23a4763f78b0c04db0e0c0046112b6598a674fadc501c0a06361e341c9e5864243551139d5f5fdc235f6f6c0fe211095075ffdf599691fbc583be069c6206539c77288d239f513fb4e56b430df3c9e697dc109fdc2a8e7041049bebde035ef358cf6c8d0185e22b211573ffb36f719017802cac937dce660ae8e6e6c990b46992150fb66c106304bb88c6a63d3fda8c947ceb77eb33a6c4
         EAP-Message = 
0x991e98690203010001a30d300b30090603551d1304023000300d06092a864886f70d01010b05000382010100c011c45596161f6474a37be2d223e3dd858c194f824a65ec9174cadd54dc523a97820f572379b761fb43b43d1e356e3e36ba4c1fdecd821aef7413344a8072f17c7d8e1c3c6d9e2f064999f600f04d2b6d3d357a91cdf0a60313becaa9503ab79e523471d266d5c3a104580fd6f33c246c24c8d9f9ecbdbe93471e78fb23cc14a01418ee79a7029adaf00ebede94f7dd60b0558136e2b8534a6c9280a012749c5f2fdbcf8be8d8fe6ee9
         EAP-Message = 
0x9af28691cd18ddbba01e4b85a9f82cfec7eb4201fb914bb9df179d05a1135ed94eb5b0e67a4b6dc13601ccdbe5b970160301014b0c0001470300174104880a6cadb0bda6009cb3b209cd1ab676aecc9445bab4ad851c75e61a0037316b16f93ec6fcbb77722df1dfc5f01008ba6dc4c785bbbaefa09f4c0a751c5c7269ff7ebb5f7e8c67f659c8454f919e96a0adef063bfec5963e07ce2b7aa293159462acbc323ace3570daf0d09e83111a3fe9ddb279a59b126c591b386276dae1922cdf428cd02871bda42dceeb4a16171f332d0e95cb30dcc17b
         EAP-Message = 0x8e2faa751416e9b4519b8898
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x78771f5679750a3d6495143e099646c4
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip port 57736, id=89, length=167
         User-Name = "user"
         NAS-IP-Address = ip
         NAS-Port = 0
         Called-Station-Id = "BC-16-F5-DB-57-F0:SSID"
         Calling-Station-Id = "30-3A-64-D8-D2-13"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 0x020200061500
         State = 0x78771f5679750a3d6495143e099646c4
         Message-Authenticator = 0xd5e8cfd8ef6c17173e3b4362999ef8e3
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 89 to ip port 57736
         EAP-Message = 
0x010300891580000004759fe317ceebd982fddebffd0960319e213113c8228478e9b467d2beebcef7aacff48414466d77007618337e74bbde1ba4f48ee628129c948a5dae987aafaa6ab658f1b3ab06b9c15495e21cb24d905978e5b9657b14b013747805521a05c5ac23e3b4b16030100040e000000
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x78771f567a740a3d6495143e099646c4
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip port 57736, id=90, length=301
         User-Name = "user"
         NAS-IP-Address = ip
         NAS-Port = 0
         Called-Station-Id = "BC-16-F5-DB-57-F0:SSID"
         Calling-Station-Id = "30-3A-64-D8-D2-13"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 
0x0203008c15001603010046100000424104e2eb375029681f678e5f1c36bfc89b18bb3a00538a95c0274746cf2c7d80d65401633768320eedc9611e0488a3ee26f65f4876f6a366ed051d6bf03d28b8a706ab96ab8a779b307ccbc7b349ef5aa56a5cb952c50576cefca870fc83524c24fc5b90c0cae016f2d
         State = 0x78771f567a740a3d6495143e099646c4
         Message-Authenticator = 0xd761d7690d32fe8b142236eab7f6a1e8
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     (other): SSL negotiation finished successfully

--> Yay, sounds good to me
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 90 to ip port 57736
         EAP-Message = 
0x0104004515800000003b1403010001011603010030aa0ee47b503121259d548b3cf09b32b5fb7ae3aa7f25d8a0711e2e04f4e240dffa2b84c3272d94a1f6e142cb1c3a391d
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x78771f567b730a3d6495143e099646c4
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip port 57736, id=91, length=257
         User-Name = "user"
         NAS-IP-Address = ip
         NAS-Port = 0
         Called-Station-Id = "BC-16-F5-DB-57-F0:SSID"
         Calling-Station-Id = "30-3A-64-D8-D2-13"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 
0x02040060150017030100207d47ce2ba9ec180dd6fcf0b76e10dde249052da789ab7f9c7ce75204d0b524581703010030a14ec7133706d825b25db9e853c237b4347d0e1b9879d43879a3ce68a
         State = 0x78771f567b730a3d6495143e099646c4
         Message-Authenticator = 0x6928c5095c5c258d6c87ec5f879ec11b
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
         EAP-Message = 0x0200000a016d75656e7a
         FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Got tunneled identity of user
[ttls] Setting default EAP type for tunneled EAP session.
[ttls] Sending tunneled request
         EAP-Message = 0x0200000a016d75656e7a
         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "user"

--> Finally, reaching inner-tunnel, but perl won't get called, it's in 
first place in authenticate
server inner-tunnel {
# Executing section authorize from file 
/etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] = noop
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[expiration] = noop
++[logintime] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type gtc
[gtc]   expand: Password:  -> Password:
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[ttls] Got tunneled reply code 11
         EAP-Message = 0x0101000f0650617373776f72643a20
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x81d6c4cf81d7c2d83ec9c570cb69f51e
[ttls] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 91 to ip port 57736
         EAP-Message = 
0x0105003f1580000000351703010030c5db273c3c863eb6b3764a1ed973cd99053166c7fa89d6dc788cb711eae8a72d598037ff2571d3cf8b7ab755794fa29b
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x78771f567c720a3d6495143e099646c4
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip port 57736, id=92, length=257
         User-Name = "user"
         NAS-IP-Address = ip
         NAS-Port = 0
         Called-Station-Id = "BC-16-F5-DB-57-F0:SSID"
         Calling-Station-Id = "30-3A-64-D8-D2-13"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 
0x0205006015001703010020115f8cd11b96b37c00098fb2e5afdef35d419b9f3a06e9333508562ba52bd9941703010030a53ad47636c229f2d43a3884d6de2699fc1fbe65ac79c0be2addff875
         State = 0x78771f567c720a3d6495143e099646c4
         Message-Authenticator = 0xe18b09b565a096b5c48229e326ba51fe
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
         EAP-Message = 0x020100060304
         FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
         EAP-Message = 0x020100060304
         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "user"
         State = 0x81d6c4cf81d7c2d83ec9c570cb69f51e
server inner-tunnel {
# Executing section authorize from file 
/etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] = noop
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[expiration] = noop
++[logintime] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/md5
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[ttls] Got tunneled reply code 11
         EAP-Message = 0x01020016041054ab7a2ac661b1a17f04daa40325d1bb
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x81d6c4cf80d4c0d83ec9c570cb69f51e
[ttls] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 92 to ip port 57736
         EAP-Message = 
0x0106004f15800000004517030100408ce10260b1e93c4c05898048ef94aac42357aba82089743442651a4f2d969ac0cdc51243d784827f97571443b8cd2ce9c8afb692e8f641e684
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x78771f567d710a3d6495143e099646c4
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip port 57736, id=93, length=273
         User-Name = "user"
         NAS-IP-Address = ip
         NAS-Port = 0
         Called-Station-Id = "BC-16-F5-DB-57-F0:SSID"
         Calling-Station-Id = "30-3A-64-D8-D2-13"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 
0x0206007015001703010020d6cbb1a3a5f469fb69725dcc5585d44cee709422a062a0069002373e41c1a50b17030100404b1af9b738abecc14342b16efacf53eca017241d9f3ffa4b9b970b9ba804bd977ebef8a6ac6aff592d3caaf36
         State = 0x78771f567d710a3d6495143e099646c4
         Message-Authenticator = 0x686be1d650b37ad2e406ed39ef1dfa5e
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 112
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
         EAP-Message = 0x0202001604102d9b5073ce522d5e72a61cf2673bbb36
         FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
         EAP-Message = 0x0202001604102d9b5073ce522d5e72a61cf2673bbb36
         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "user"
         State = 0x81d6c4cf80d4c0d83ec9c570cb69f51e
server inner-tunnel {
# Executing section authorize from file 
/etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] = noop
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 2 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[expiration] = noop
++[logintime] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5

--> Yes I know, but I should call perl
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[ttls] Got tunneled reply code 3
         EAP-Message = 0x04020004
         Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user user
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 93 to ip port 57736
         EAP-Message = 0x04060004
         Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 87 with timestamp +12
Cleaning up request 1 ID 88 with timestamp +12
Cleaning up request 2 ID 89 with timestamp +12
Cleaning up request 3 ID 90 with timestamp +12
Cleaning up request 4 ID 91 with timestamp +12
Cleaning up request 5 ID 92 with timestamp +12
Waking up in 1.0 seconds.
Cleaning up request 6 ID 93 with timestamp +12
Ready to process requests.

It's a fresh Debian 8 install with FR 2.2.5 deb package.
What I canged from the default was the client in clients.conf, DEFAULT 
Auth-Type := eap/perl in users.
In eap.conf change default to ttls, in section ttls tried md5 and gtc.
In modules/perl linked to the module and added perl/eap to default and 
inner-tunnel.

Any ideas?

Thanks,
Michael