On Sep 23, 2025, at 7:49 AM, Arifia Hapsari <arifiarahmi@gmail.com> wrote:
I am trying to configure FreeRADIUS for guest Wi-Fi authentication using *EAP-TTLS/PAP*. My backend is a custom REST API that validates the username and plain-text password.
It's almost always better to have the back-end supply the password to FreeRADIUS. FreeRADIUS can then authenticate the user.
Does the log line Peer NAK'd asking for unsupported EAP type MSCHAPv2 definitively mean that client requests MSCHAPv2 but the server is only configured to accept EAP-TTLS/PAP?
Yes.
2.
What is the recommended best practice to solve this for a guest network? Should I focus on forcing the client devices to use PAP,
That's pretty much impossible. There's no way for a server to reconfigure the client. If you can somehow change the client configuration to use PAP, that would work. But that can only be done manually / script / etc. i.e. outside of RADIUS.
or is it more reliable to reconfigure my server and REST API to support MSCHAPv2 (by providing the NT-Password hash)?
Yes. Alan DeKok.