On 02/08/2013 11:42 PM, Jaap Winius wrote:
Quoting Alan DeKok <aland@deployingradius.com>:
No. You can't turn off EAP. The client is sending EAP to the server. You need to change the client. And likely you can't, because it *needs* to do EAP.
Indeed, the key_mgmt attribute in my wpa_supplicant.conf is set to WPA-EAP and it looks like that's my only option. But, if you're correct, then how is this supposed to work? You make it sound like a catch-22.
The choice of authentication algorithm (EAP) and any EAP-type are made client side. Different EAP types have different requirements, in terms of what data you need to successfully authenticate a user - see here: http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html PAM, as noted at the 2nd link, s an "oracle" that can *only* be used to authenticate PAP, and therefore EAP-TTLS/PAP. Your client is doing EAP-TTLS/EAP-MD5. You have two choices: 1. Reconfigure the client to do EAP-TTLS/PAP, which PAM will be able to authenticate 2. Stop using PAM, and provide the server with the client credentials in a form compatible with your EAP-type (see 1st URL above) These are your only options.