Daniel Schmidt wrote:
To summarize: 1. radtest works fine with static cleartext AND pam users 2. eapol_test with static cleartext user is fine 3. eapol_test with pam user - not fine. "rlm_pam: Attribute "User-Password" is required for authentication."
Because you're forcing "Auth-Type = PAM", in the "default" virtual server.
This all *seems* to imply the eap/pap/pam configuration is working fine.
No. PAP does password authentication. The "default" virtual server processes this. EAP-TTLS does EAP authentication. The "default" virtual server processes this. Notice there is NO PASSWORD. Inside of EAP-TTLS, there's a password. This *inner* authentication is processed in the "inner-tunnel" virtual server. If you READ the debug output, you would see this. You need to put the PAM authentication into the "inner-tunnel" virtual server. In recent versions, read the top of raddb/sites-available/inner-tunnel. It describes how to test the inner-tunnel authentication methods. Alan DeKok.