freeradius with EAP-TTLS and PAP auth

Mathieu Geli geli at
Wed Aug 3 12:48:02 CEST 2005

> Don't. FreeRadius typically treats EAP-Requests as _two_ requests. It handles the EAP stuff
> and then generates a new request for the stuff that's contained in the tunnel (e.g. PAP) and
> sends that to itself. So, if you force Auth-Type to either EAP or PAP unconditionally, either
> the "inner" (PAP) or the outer (EAP) protocol cannot be handled.

you are probably right, I definitly will avoid forcing Auth-Type and let freeradius do the job.

> Apparently, it can't find a password (cleartext or uncrypted) for the user, so it falls
> back to Auth-Type System. Try to get PAP authentication working by itself, first, i.e.
> just use radtest to send username/password combinations to the server and fix their
> handling. Once that works, EAP-TTLS with PAP should work as well.

You pointed it out. Actually I just had to *comment out* (or force Auth-Type := PAP) :

  DEFAULT	Auth-Type = System
      Fall-Through = 1

which was earlier defined in the users file.
And stay with the simple :

  "testuser" Password == "testpass"

The proxy works also like a charm if you take care to add in the proxy.conf, in the realm definition : 'nostrip'
(got that stupid error about "Identity does not match User-Name, setting from EAP Identity" for a while)

So thanks for the quick reply Stefan !


More information about the Freeradius-Users mailing list