Bram Matthys (Syzop) wrote:
I'm using FreeRadius 2.0.3. I've seen several tutorials regarding Freeradius 1, which help, but they are a bit outdated, and are often using a different authentication method or protocol (like PEAP).
TTLS with MS-CHAP2 is 99% like PEAP.
I've verified ntlm_auth works on the command line. I've been following (among others) http://deployingradius.com/documents/configuration/active_directory.html ... Once this passed (i tested with radtest), I commented out both, because it was only for testing.
Yes.
Side note..I had set 'wait = no' previously, due to the tutorial mentioning that, but then the password was always correct even if I provided an incorrect one.
Fixed, thanks.
I've also been reading http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO by the way, and while it did help they use PEAP (w/mschapv2) so hmm.
It should be the same.
Anyway, back on track: I've taken the default radius configuration files (as of v2.0.3), and editted them..
You should use 2.0.4, for a number of reasons. ...
ttls { default_eap_type = mschapv2
Are you using EAP-MSCHAPv2, or MS-CHAPv2? See the comments above this configuration entry in the default eap.conf file. ... You'll also need a raddb/sites-enabled/inner-tunnel file. It's not installed in 2.0.3. This was fixed in 2.0.4.
This is what I get using the 'rad_eap_test' tool.. since i'm working remotely I cannot use securew2 at the moment (if someone has another suggestion on how to check eap ttls w/mschapv2, let me know..
eapol_test, which comes with wpa_supplicant. Install 2.0.4, which should help. Alan DeKok.