With that, and a few configuration options (like making sure the host was connected to the domain and ntlm_auth functioned as required), i've managed to get PEAP and EAP-MSCHAPv2 working fine to the ntdomain.
EAP-TTLS works fine with an account in the "users" file that has a clear text password, as well as a local /etc/password account. Ideally this should work with the ntdomain as well. I'm testing with a laptop running XP, with the secureW2 package installed to provide TTLS.
if you are using EAP-TTLS/PAP then you'll need a plain text password - this can be done via kerberos to the AD. This is a Samba NT domain, not AD. I do not have access to the plain text password through Samba or LDAP.
The "Protocol and Password Compatibility" chart and the "Authenticaiton Systems and Password Compatibility" chart from the "Deploying RADIUS: The Book" page specifically says PAP/ntlm_auth is functional. Regular CHAP is not because it requires the clear-text password.
otherwise EAP-TTLS/MSCHAPv2 should work just like PEAP
except when testing whether EAP-TTLS works, it doesn't help much.
i'd advise to get id of the DEFAULT Auth := System line from the users file
Done.. auth to the /etc/passwd accounts doesn't make much sense. -- James A. McOrmond (jamesm@xandros.com) Network Administrator Xandros Corporation, Ottawa, Canada. Morpheus: ...after a century of war I remember that which matters most: *We are still HERE!*