On 11/09/13 12:05, stefan.paetow@diamond.ac.uk wrote:
The alternative is getting your users to install something like SecureW2 (which I believe requires a license now), and using EAP-TTLS- PAP which submits the users password in plaintext, or I believe more recent flavours of Windows support EAP-TTLS too.
If I remember correctly, when using EAP-TTLS-PAP, the top-level default_eap_type should be "ttls", and then the default_eap_type in the TTLS section should be "gtc" (which uses PAP by default).
AFAIK (and please correct me if I'm wrong), you cannot set the TTLS default_eap_type setting to PAP.
That's because EAP-TTLS/PAP doesn't use EAP on the inner tunnel. Just PAP. So "default_eap_type" is irrelevant. You support EAP-TTLS/PAP by ensuring PAP is working in the inner tunnel - by populating a cleartext or hashed password and calling the "pap" module in the authorize/authenticate section, or other more specialised configs. EAP-TTLS/EAP-GTC is a different thing.