<html><head><meta content="text/html; charset=utf-8" http-equiv="Content-Type"></head><body><div><div style="font-family:Calibri,sans-serif;font-size:11pt">Hi Steve<br>Microsoft supports EAP TTLS in our upcoming is release of Windows 8 . That said PEAP MSChapv2 is as modern as an EAP TTLS and is a very widely and simply deployed method. I have personally used the freeradius peap mschapv2 pretty much out of the box. As far as the certificate error you saw earlier that was due to the nature of design of a modern secure authentication method which gave supported security feature like Server Certificate Validation enabled by default. If you just go through the net you will find tonnes of peap mschapv2 working eap.conf's and I suggest you compare yours to the ones available for the authentication to work. Also if you are looking for ttls only you can test with the beta of windows 8 and become one of our early adopters when it releases. <br>
<br>Thanx and Regards<br><br>Aman Arneja<br><br>Sent from my Windows Phone<br></div></div><hr><span style="font-family:Tahoma,sans-serif;font-size:10pt;font-weight:bold">From: </span><span style="font-family:Tahoma,sans-serif;font-size:10pt">Steve Hopps</span><br>
<span style="font-family:Tahoma,sans-serif;font-size:10pt;font-weight:bold">Sent: </span><span style="font-family:Tahoma,sans-serif;font-size:10pt">5/30/2012 6:23 PM</span><br><span style="font-family:Tahoma,sans-serif;font-size:10pt;font-weight:bold">To: </span><span style="font-family:Tahoma,sans-serif;font-size:10pt">FreeRadius users mailing list</span><br>
<span style="font-family:Tahoma,sans-serif;font-size:10pt;font-weight:bold">Subject: </span><span style="font-family:Tahoma,sans-serif;font-size:10pt">Re: more EAP/TTLS trouble</span><br><br></body></html><p>We're trying to use an access point configured for wpa2 using freeradius to authenticate with openldap. For Android and Linux it works out of the box with eap/ttls and pap. So we used Pam cause it already works with ldap. I didn't know other encryption types wouldn't work with Pam.</p>
<p>IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible.<br>
</p>
<div class="gmail_quote">On May 30, 2012 2:43 AM, "Phil Mayers" <<a href="mailto:p.mayers@imperial.ac.uk">p.mayers@imperial.ac.uk</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 05/29/2012 10:28 PM, Steve Hopps wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
So I'm confused, what's the right way to handle this situation?<br>
</blockquote>
<br>
What situation?<br>
<br>
What are you trying to do?<br>
<br>
Alan has already hinted at the issue, but basically see here:<br>
<br>
<a href="http://deployingradius.com/documents/protocols/oracles.html" target="_blank">http://deployingradius.com/<u></u>documents/protocols/oracles.<u></u>html</a><br>
<br>
...and here:<br>
<br>
<a href="http://deployingradius.com/documents/protocols/compatibility.html" target="_blank">http://deployingradius.com/<u></u>documents/protocols/<u></u>compatibility.html</a><br>
<br>
Whatever protocol you are running within TTLS, it's not PAP therefore not compatible with PAM-as-an-oracle.<br>
<br>
rlm_pam: Attribute "User-Password" is required for authentication.<br>
++[pam] returns invalid<br>
<br>
PAM is being forced (I think) here:<br>
<br>
[files] users: Matched entry DEFAULT at line 222<br>
<br>
...fix that line. Don't force PAM if you don't want or need it, and if you want/need it, pick compatible authentication.<br>
<br>
The Proxy-To-Realm comments in the default config files might be out of date; in general, obey what the debug says over ANY other advice, because it's coming from the actual code.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
</blockquote></div>