On Thu, 12 Mar 2026, at 20:34, Selahattin CILEK wrote:
I'm trying something new with FreeRADIUS. There are two virtual servers (staff, guest) which authenticate against two separate DB backends (MySQL and MSSQL, respectively). Accordingly, the clients are configured with the "virtual_server" directive. What I'm trying to achieve is to make FreeRADIUS work on two separate subnets, on which separate devices communicate with separate virtual servers, which authenticate against two separate DBs. iOS devices refuse to authenticate from the *staff* virtual server while Android devices do. And when I remove the *guest* virtual server, iOS devices start connecting too.
# radiusd -X FreeRADIUS Version 3.2.3
Upgrade, more recent versions: 1) make everyone less grumpy as we are not looking at old software 2) contain more useful debugging, in particularly around TLS issues
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls (7) authenticate { (7) eap: Expiring EAP session with state 0x5892ccaa5990d684 (7) eap: Finished EAP session with state 0x5892ccaa5990d684 (7) eap: Previous EAP request found for state 0x5892ccaa5990d684, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: Auth-Type sub-section not found. Ignoring. (7) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls (7) eap: Sending EAP Failure (code 4) ID 2 length 4 (7) eap: Freeing handler (7) [eap] = reject (7) } # authenticate = reject (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject
Your iOS devices are using TTLS/EAP-MSCHAPv2, I assume your Android devices are using TTLS/PAP. FreeRADIUS has not been configured to handle EAP-MSCHAPv2. If your server does not have access to Cleartext-Password (eg. LDAP auth), you will need to configure the device to use PAP which requires installing a provisioning profile[1] using something like Apple Configurator or something home grown. If it does, you should be able to enable EAP-MSCHAPv2 as a valid supported inner method. Cheers Alex [1] alternatively enable EAP-GTC[2], for me iOS seems to auto-detect this and use that without the need for a profile [2] ...Apple (and Microsoft and Android) have made forever made GTC unusable as they all treat it as a cachable 'password' with no challenge prompt that can be shown to the user. :(