On Mar 7, 2025, at 8:14 AM, t5elrues elrues <t5elrues@gmail.com> wrote:
Did try multiple configurations to make it work without success. OpenLDAP has userPassword encrypted in SSHA1 format, which makes it difficult to be compatible with all available authentication methods.
PAP is the best choice.
I was successful on setting it with EAP-TTLS-GTC and as able to retrieve userPassword and validate MacOS, iOS and Android devices, but couldn't validate Windows devices without a 3rd party software that highschool doesn't want to use. EAP-TTLS-PAP was not allowing iOS devices to validate as they always tried to use mschapv2 with that configuration.
Then the iOS device has to be updated to allow EAP-TTLS-PAP.
So now I've been trying to do bind as user against LDAP using EAP-TTLS-PAP but can't manage to force (Android, iOS and MacOS) devices to use this configuration to validate and always try to default to mschapv2. Windows doesn't even try to bind to LDAP.
You have to update the supplicant to allow EAP-TTLS-PAP.
I can see on the debug log it uses auth-type = eap and calls submodule eap_ttls which I guess should be correct, but then I see a EAP NAK that forces to use eap_mschapv2 even though I think I've commented it to not be used in the configuration.
Yes, the supplicant is saying "no" to the server request, and then is sating "I want to use EAP-MSCHAPv2". Nothing you do to the server will fix this. The only solution is to allow EAP-TTLS-PAP on the supplicant. Alan DeKok.