Hi, yes I tried to use a TTLS-PAP profile and it worked without any reconfiguration. I dont like the thought of having weak passwords in LDAP at all and on the other hand TLS on radius clients can also not be made 100% secure. So I guess my next steps is to go for client certs for the people with a lot of permissions on systems. With kind regards, Marlen Caemmerer Am 2016-11-03 08:40, schrieb Stefan Winter:
Hi,
As far as I understand MacOS tries to use MS-CHAPv2 and this does not seem to work.
IIRC, Apple changed the TTLS default inner method away from PAP to EAP-MSCHAPv2 (not just MSCHAPv2) a few releases back.
If you want an inner of (non-EAP)PAP then you have to tell the Mac and iOS devices with a .mobileconfig configuration file.
Or you re-configure your FreeRADIUS to support MSCHAPv2 instead, if you have NT-Hashes or cleartext of the passwords of your users.
If you want to generate .mobileconfig files and also config files for lots of other platforms all in one go, try https://802.1x-config.org [1]
Links: ------ [1] https://802.1x-config.org