freeradius with EAP-TTLS and PAP auth

Stefan.Neis at Stefan.Neis at
Wed Aug 3 12:55:07 CEST 2005


> And forces (even if I encountered several times that may not be done like that) in the users conf :
> testuser Auth-Type := PAP, User-Password == "testpass"
> and also tested EAP,

Don't. FreeRadius typically treats EAP-Requests as _two_ requests. It handles the EAP stuff
and then generates a new request for the stuff that's contained in the tunnel (e.g. PAP) and
sends that to itself. So, if you force Auth-Type to either EAP or PAP unconditionally, either
the "inner" (PAP) or the outer (EAP) protocol cannot be handled.

> and not specifying the Auth-Type (which then fallback to the System
> module and obviously fail)

Now, that's a problem...

> Without Auth-Type :
>     rad_check_password:  Found Auth-Type System
>   auth: type "System"
>     Processing the authenticate section of radiusd.conf
>   modcall: entering group authenticate for request 5
>   rlm_unix: [testuser]: invalid password

Apparently, it can't find a password (cleartext or uncrypted) for the user, so it falls
back to Auth-Type System. Try to get PAP authentication working by itself, first, i.e.
just use radtest to send username/password combinations to the server and fix their
handling. Once that works, EAP-TTLS with PAP should work as well.


More information about the Freeradius-Users mailing list