On Tue, 2019-07-23 at 15:13 -0400, Kev Xlr wrote:
The backend database is Azure AD DS with LDAPS enabled, and the goal is to have EAP-TTLS/PAP for wifi access points. Obviously passwords are not in cleartext so users should be authenticated by a simple LDAP bind by the rlm_ldap module.
Your client is using PEAP, not TTLS. So there's no inner PAP, and no plaintext password is available for the LDAP bind.
(0) eap: Peer sent packet with method EAP Identity (1)
c: EAP identity
(0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge
fr: Can you do MD5?
(1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25)
c: Nope... PEAP please. fr: OK! Reconfigure the client to do TTLS/PAP, then see where you get from there. -- Matthew