My freeradius version is 2.1.1. When I config eap-tls with crl and one level root certificate,it's work normally. But when the ca is two level, the root ca is for signing the second level CA certificate , and the second level CA is for signing user certificates and crls.It's mean the root ca certificate is self-signed,but the second level ca certificate is not .How can I config ? I got the error message below: [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0477], Certificate --> verify error:num=3:unable to get certificate CRL [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned and all the message is : rad_recv: Access-Request packet from host 10.10.10.221 port 5001, id=0, length=119 User-Name = "test01" EAP-Message = 0x0202000b01746573743031 Message-Authenticator = 0xb8ef974e2b69e44cba1654b844a2d51a NAS-IP-Address = 10.10.10.221 NAS-Identifier = "0023893a34b3" NAS-Port = 16781313 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "001a-6b67-1b8a" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test01", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.10.10.221 port 5001 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf27891bef27b9cb066ded7b428b0591f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.221 port 5001, id=1, length=206 User-Name = "test01" EAP-Message = 0x020300500d800000004616030100410100003d03014a9770d26937eb2ffd4e3f2645f5e215a8982050c3496e12ac70d9cff2c877c900001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x90519b61ec6ef30f291aae9592159baa NAS-IP-Address = 10.10.10.221 NAS-Identifier = "0023893a34b3" NAS-Port = 16781313 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "001a-6b67-1b8a" State = 0xf27891bef27b9cb066ded7b428b0591f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test01", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 023e], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 000d], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 10.10.10.221 port 5001 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x0104028e0d8000000284160301002a0200002603014a9656618b268bb7d6920d634c828a353ce0c1b85c6ca92dd46b21f39618a96100000400160301023e0b00023a0002370002343082023030820199a00302010202084e4f6234214476cb300d06092a864886f70d0101040500301d310b300906035504061302434e310e300c06035504030c0553756243413020170d3039303832363031333833385a180f32313038303832363031333833385a301e310b300906035504061302434e310f300d06035504030c0673657276657230819f300d06092a864886f70d010101050003818d0030818902818100ba29ddeec0dca45b50e2e98794b5579fbb EAP-Message = 0x0fcbf19aadc8c874b404ed6f246afeac3f2dcd0e44cae33929357ebaa97462077052e84608d0423d51c62ba31fe6a3bca32bc751241788fee774cc260617329d46e59f72f0043cd416f9ef131205b4835b784239d5a842464bcaab0811e8893373b1590965d003e5af8c72eff3e4710203010001a3763074303b0603551d2304343032801433a67c94686b7a0b5945e4eb04766a1246433580a110810e434e3d53756243412c20433d434e82082136f9fe58a4dee730090603551d1304023000300b0603551d0f040403020780301d0603551d0e04160414cb07f5f821338b457d04acd5c60e29dac2ed3ab4300d06092a864886f70d01010405000381 EAP-Message = 0x810000c17048132d70cbcfd8e0734eeea2bd0a91d32b12a12188d1bda39562ab705aff1a3dd1484b019045c30662af4c3945d480ee87b9c7230b79794f886b2f55c1ab62dd19a366f5b6e5ec8010ce893f993b6b9ab5fe205300810aafd850fa34a1a0ff8eae2e38a207e514c5487598334592a76ae4e9e4f6c12865367365724c1d160301000d0d00000502010200000e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf27891bef37c9cb066ded7b428b0591f Finished request 1. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.10.221 port 5001, id=2, length=1605 User-Name = "test01" EAP-Message = 0x020405bd0d80000005b316030105830b0004730004700002343082023030820199a0030201020208282cc1177c2ee3cd300d06092a864886f70d0101040500301d310b300906035504061302434e310e300c06035504030c0553756243413020170d3039303832363031333833385a180f32313038303832363031333833385a301e310b300906035504061302434e310f300d06035504030c0674657374303130819f300d06092a864886f70d010101050003818d00308189028181008874a06d0fcb137eac82d9e92d3abc270f97d8f5ea0965f69c62c6e42fe075869ba8255e9b046581ca8356f796389b9ef43b6660586d526666244cf29ef782bf EAP-Message = 0x80e4419d577a1590f89ec59bd4cf348ab3cd2af042054c423c66cd29227a628eb7710b918608cbf59872e120962c1226baa5720f8330da03e61d93def9d911130203010001a3763074303b0603551d2304343032801433a67c94686b7a0b5945e4eb04766a1246433580a110810e434e3d53756243412c20433d434e82082136f9fe58a4dee730090603551d1304023000300b0603551d0f040403020780301d0603551d0e04160414a9267c897fdd0f74a9cfd1f318d1c16b89cbaad3300d06092a864886f70d01010405000381810044be805a98c8eb17cce4cbbbca5d841cf326d507eee0b3e59e88b28f22e472eb6ed52399c5566480da512ef893 EAP-Message = 0x4203521cf8fa8d0dcff9d5ed96d7ffa3c7504400a920fdaf688dfed2502d6fac9f31d13720d40dd9f5784ddc1af78bd4efbf4f61b57ba1333384a07d3ab19903e61e38f4b075237b8d312ce96e1dd33e9913dc000236308202323082019ba00302010202082136f9fe58a4dee7300d06092a864886f70d0101040500301e310b300906035504061302434e310f300d06035504030c06526f6f744341301e170d3039303832363031333635325a170d3139303832363031333635325a301d310b300906035504061302434e310e300c06035504030c05537562434130819f300d06092a864886f70d010101050003818d0030818902818100849a9687d2 EAP-Message = 0xfb63cd2407c98484c06f714766dbcbfdfdd3e52d003ebd049f1a91f68a4eaf12326bd82e6805fa90610e906c798ef0c574c502913958de79f4ec774ce89b625a738b6f395c30a2703d81d47785e4a47bdb49c96a9857645507cc8ad67bf1d1e2253ac8ea5884bb7fa8079da740922a9d18d421d159252dcb0250db0203010001a37a3078303c0603551d230435303380146d746f53b99052eda7f2ddc00aeaf4a7627376c8a111810f434e3d526f6f7443412c20433d434e82082a44f6b76f9b83fd300c0603551d13040530030101ff300b0603551d0f040403020106301d0603551d0e0416041433a67c94686b7a0b5945e4eb04766a124643358030 EAP-Message = 0x0d06092a864886f70d01010405000381810082ce3a088d975173c71d7c9479349ce87191a8fcd70190782de1b2e927b682a95dabc305faf7e6e3424f224c2c992b0d95d1cd208d7f8a9b0dc29e622c72eeb4bf8189a0019e0d715a69824cae4d8726598a11933a29d6ffe0296a6187f1f5f56bebc0d9c74cedcf406aa12a348b85c0b7677fd7513ec7fa605d3b1c40441d00100000820080775b3bf40951517762ab09a29118cb469943c3394f79c1cf6af9b2c16f3cbfe0b46286a46502fec8db0a27375a47d3a80caeabc2a9d111e54d12dbb827a4ff0986c1bc216667b3664ef9c2eb0f8e2ad2ce9416ffbec8698958a25647a4c41e3b1d025bae7e EAP-Message = 0x314d333770c694a9e0b7c69c55d41cb5d39a6cd0a9104c321b16f10f000082008045ee5b3caa57d90cc677cef5613fd7ea7eface1fd270d8d79f30c9a5aa59955e1970bb46e9810e3b32d3b95aed2ed6851c3f1d472eb5cdcd66a36812a5cd504dabfcdb2480706f72609d6306256df7fe4643ce33251643d2b3a139523f06f089b82b3da272f94f93f2053f0853bc676e7f1c33ff2acda82ea33719447cec713514030100010116030100205d4a7ef850987e1a7050cda07ad2cde2259bb9bccb34e35d71074ebb54fbe2cc Message-Authenticator = 0x092ea59633356e2212f9d607f393ed3a NAS-IP-Address = 10.10.10.221 NAS-Identifier = "0023893a34b3" NAS-Port = 16781313 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "001a-6b67-1b8a" State = 0xf27891bef37c9cb066ded7b428b0591f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test01", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1459 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0477], Certificate --> verify error:num=3:unable to get certificate CRL [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test01 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 2 to 10.10.10.221 port 5001 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.5 seconds. Cleaning up request 0 ID 0 with timestamp +124 Waking up in 0.1 seconds. Cleaning up request 1 ID 1 with timestamp +124 Waking up in 1.2 seconds. Cleaning up request 2 ID 2 with timestamp +125 Ready to process requests. and the eap.conf is : # -*- text -*- ## ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) ## ## $Id$ ####################################################################### # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # EAP types NOT listed here may be supported via the "eap2" module. # See experimental.conf for documentation. # eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. # default_eap_type = tls # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 # There are many EAP types, but the server has support # for only a limited subset. If the server receives # a request for an EAP type it does not support, then # it normally rejects the request. By setting this # configuration to "yes", you can tell the server to # instead keep processing the request. Another module # MUST then be configured to proxy the request to # another RADIUS server which supports that EAP type. # # If another module is NOT configured to handle the # request, then the request will still end up being # rejected. ignore_unknown_eap_types = no # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. cisco_accounting_username_bug = no # # Help prevent DoS attacks by limiting the number of # sessions that the server is tracking. Most systems # can handle ~30 EAP sessions/s, so the default limit # of 2048 is more than enough. max_sessions = 2048 # Supported EAP-types # # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } # Cisco LEAP # # We do not recommend using LEAP in new deployments. See: # # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password, or the NT-Password attributes. # 'System' authentication is impossible with LEAP. # leap { } # Generic Token Card. # # Currently, this is only permitted inside of EAP-TTLS, # or EAP-PEAP. The module "challenges" the user with # text, and the response from the user is taken to be # the User-Password. # # Proxying the tunneled EAP-GTC session is a bad idea, # the users password will go over the wire in plain-text, # for anyone to see. # gtc { # The default challenge, which many clients # ignore.. #challenge = "Password: " # The plain-text response which comes back # is put into a User-Password attribute, # and passed to another module for # authentication. This allows the EAP-GTC # response to be checked against plain-text, # or crypt'd passwords. # # If you say "Local" instead of "PAP", then # the module will look for a User-Password # configured for the request, and do the # authentication itself. # auth_type = PAP } ## EAP-TLS # # See raddb/certs/README for additional comments # on certificates. # # If OpenSSL was not found at the time the server was # built, the "tls", "ttls", and "peap" sections will # be ignored. # # Otherwise, when the server first starts in debugging # mode, test certificates will be created. See the # "make_cert_command" below for details, and the README # file in raddb/certs # # These test certificates SHOULD NOT be used in a normal # deployment. They are created only to make it easier # to install the server, and to perform some simple # tests with EAP-TLS, TTLS, or PEAP. # # See also: # # tls { # # These is used to simplify later configurations. # certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = 111111 private_key_file = ${certdir}/server.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/server.pem # Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. # # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. CA_file = ${cadir}/ca.pem # # For DH cipher suites to work, you have to # run OpenSSL to create the DH file first: # # openssl dhparam -out certs/dh 1024 # dh_file = ${certdir}/dh random_file = ${certdir}/random # # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half # that, to accomodate other attributes in # RADIUS packet. On most APs the MAX packet # length is configured between 1500 - 1600 # In these cases, fragment size should be # 1024 or less. # # fragment_size = 1024 # include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is # included in EVERY packet we send. # If set to no, Total Length of the # message is included ONLY in the # First packet of a fragment series. # # include_length = yes # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash <CA certs&CRLs Directory>'. # 'c_rehash' is OpenSSL's command. # 3) uncomment the line below. # 5) Restart radiusd check_crl = yes CA_path = ${certdir} # # If check_cert_issuer is set, the value will # be checked against the DN of the issuer in # the client certificate. If the values do not # match, the cerficate verification will fail, # rejecting the user. # # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # # If check_cert_cn is set, the value will # be xlat'ed and checked against the CN # in the client certificate. If the values # do not match, the certificate verification # will fail rejecting the user. # # This check is done only if the previous # "check_cert_issuer" is not set, or if # the check succeeds. # # check_cert_cn = %{User-Name} # # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". cipher_list = "DEFAULT" # # This configuration entry should be deleted # once the server is running in a normal # configuration. It is here ONLY to make # initial deployments easier. # make_cert_command = "${certdir}/bootstrap" # # Session resumption / fast reauthentication # cache. # cache { # # Enable it. The default is "no". # Deleting the entire "cache" subsection # Also disables caching. # # You can disallow resumption for a # particular user by adding the following # attribute to the control item list: # # Allow-Session-Resumption = No # # If "enable = no" below, you CANNOT # enable resumption for just one user # by setting the above attribute to "yes". # enable = no # # Lifetime of the cached entries, in hours. # The sessions will be deleted after this # time. # lifetime = 24 # hours # # The maximum number of entries in the # cache. Set to "0" for "infinite". # # This could be set to the number of users # who are logged in... which can be a LOT. # max_entries = 255 } } # The TTLS module implements the EAP-TTLS protocol, # which can be described as EAP inside of Diameter, # inside of TLS, inside of EAP, inside of RADIUS... # # Surprisingly, it works quite well. # # The TTLS module needs the TLS module to be installed # and configured, in order to use the TLS tunnel # inside of the EAP packet. You will still need to # configure the TLS module, even if you do not want # to deploy EAP-TLS in your network. Users will not # be able to request EAP-TLS, as it requires them to # have a client certificate. EAP-TTLS does not # require a client certificate. # # You can make TTLS require a client cert by setting # # EAP-TLS-Require-Client-Cert = Yes # # in the control items for a request. # ttls { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # TTLS tunnel, we recommend using EAP-MD5. # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. default_eap_type = md5 # The tunneled authentication request does # not usually contain useful attributes # like 'Calling-Station-Id', etc. These # attributes are outside of the tunnel, # and normally unavailable to the tunneled # authentication request. # # By setting this configuration entry to # 'yes', any attribute which NOT in the # tunneled authentication request, but # which IS available outside of the tunnel, # is copied to the tunneled request. # # allowed values: {no, yes} copy_request_to_tunnel = no # The reply attributes sent to the NAS are # usually based on the name of the user # 'outside' of the tunnel (usually # 'anonymous'). If you want to send the # reply attributes based on the user name # inside of the tunnel, then set this # configuration entry to 'yes', and the reply # to the NAS will be taken from the reply to # the tunneled request. # # allowed values: {no, yes} use_tunneled_reply = no # # The inner tunneled request can be sent # through a virtual server constructed # specifically for this purpose. # # If this entry is commented out, the inner # tunneled request will be sent through # the virtual server that processed the # outer requests. # virtual_server = "inner-tunnel" } ################################################## # # !!!!! WARNINGS for Windows compatibility !!!!! # ################################################## # # If you see the server send an Access-Challenge, # and the client never sends another Access-Request, # then # # STOP! # # The server certificate has to have special OID's # in it, or else the Microsoft clients will silently # fail. See the "scripts/xpextensions" file for # details, and the following page: # # http://support.microsoft.com/kb/814394/en-us # # For additional Windows XP SP2 issues, see: # # http://support.microsoft.com/kb/885453/en-us # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. # ################################################## # # The tunneled EAP session needs a default EAP type # which is separate from the one for the non-tunneled # EAP module. Inside of the TLS/PEAP tunnel, we # recommend using EAP-MS-CHAPv2. # # The PEAP module needs the TLS module to be installed # and configured, in order to use the TLS tunnel # inside of the EAP packet. You will still need to # configure the TLS module, even if you do not want # to deploy EAP-TLS in your network. Users will not # be able to request EAP-TLS, as it requires them to # have a client certificate. EAP-PEAP does not # require a client certificate. # # # You can make PEAP require a client cert by setting # # EAP-TLS-Require-Client-Cert = Yes # # in the control items for a request. # peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 # the PEAP module also has these configuration # items, which are the same as for TTLS. copy_request_to_tunnel = no use_tunneled_reply = no # When the tunneled session is proxied, the # home server may not understand EAP-MSCHAP-V2. # Set this entry to "no" to proxy the tunneled # EAP-MSCHAP-V2 as normal MSCHAPv2. # proxy_tunneled_request_as_eap = yes # # The inner tunneled request can be sent # through a virtual server constructed # specifically for this purpose. # # If this entry is commented out, the inner # tunneled request will be sent through # the virtual server that processed the # outer requests. # virtual_server = "inner-tunnel" } # # This takes no configuration. # # Note that it is the EAP MS-CHAPv2 sub-module, not # the main 'mschap' module. # # Note also that in order for this sub-module to work, # the main 'mschap' module MUST ALSO be configured. # # This module is the *Microsoft* implementation of MS-CHAPv2 # in EAP. There is another (incompatible) implementation # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not # currently support. # mschapv2 { } }