Windows PAP not working, Android PAP does work
aland at deployingradius.com
Tue Jun 23 15:08:33 CEST 2020
On Jun 23, 2020, at 4:57 AM, Mathias Maes <mathias.maes at maerlantatheneum.be> wrote:
> Little background on my setup:
> I made Freeradius connect to Google Secure LDAP, and I do some post
> authentication (add a VLAN attribute to a response when a user belongs to a
> certain group in Google)
> Yesterday I generated new certificates to test a 'real' production setup.
> Android: Installing cert, setting EAP-TTLS and PAP, username, password, et
> voila, everything works, connected to the right VLAN. However, it takes
> quite long (like over 5 seconds). The Freeradius log of the Android
> connection is in attachment
If it takes 5s to authenticate the user, then likely something is wrong on the Google side. i.e. the LDAP queries are taking a long time.
This is one of the few situations where you can run "radiusd -Xx". That gets you timestamps for each line that's logged. Which tells you exactly what portion of the server is taking time.
> But with Windows 10, installing server and ca certificates, setting up the
> network to use EAP-TTLS PAP, trying to connect with username and password.
Windows is using PEAP, not TTLS + PAP.
> Windows simply shows a "Cannot connect to this network", the Freeradius log
> is quite different, as I read it, it seems that Windows still tries to use
> CHAP instead of PAP,
> The Windows log is also in attachment.
I would suggest attaching the actual logs, verbatim. Redirect the "radiusd -X" output to a file if necessary.
Whatever method you've used here has reformatted the output, and added tons of whitespace, which breaks long lines. It's very unusual, and not necessary.
I would also suggest READING the debug output you're posting. If it doesn't contain references to TTLS, then it's pretty clear that Windows isn't using TTLS.
> These are my Windows settings: https://i.imgur.com/EFW1vja.png
You have to configure Windows to use TTLS + PAP.
More information about the Freeradius-Users