Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP

Alan DeKok aland at
Thu Dec 11 15:38:45 CET 2008

Attou eric wrote:
> We are having some issues in setting up freeradius to support EAP-TLS,
> Our goal is to have our authentication server providing those three
> Auth-Type simultaneously.
> To support EAP-TLS, we generate our CA and certificates via TinyCA.

  Please read eap.conf.  You need certain things in the certificates for
PEAP to work on Windows.  I'm not sure that TinyCA does the right thing

> We also add radius' log after an authentication attempt from  windows XP OS  
> using windows built in supplicant by supplying a username and password
> stored in
> our /etc/passwd file.

  PEAP will NOT work with /etc/passwd.  It's impossible.

 But the authentication failed with this
> error message :
> *rlm_eap: identity does not match User-Name, setting from EAP identity*
> ########Radius logs ################
> ...............Thu Dec 11 14:59:10 2008 : Debug: main {

  Please *follow* the instructions in the FAQ, README, INSTALL, and
"man" page.  We want "radiusd -X", not "radiusd -xX".  Adding the dates
makes the debug output harder to read.

  Note also that the debug output *includes* the configuration.  So
there's no need to post it separately.  And we don't ask for it, either.

> Sending Access-Request of id 200 to port 1812
> rad_recv: Access-Request packet from host port 1814, id=200,
> length=143

  Could you explain why you're proxying the packet from the server to
itself?  This isn't necessary.  It's also bad.

> Thu Dec 11 15:00:37 2008 : Error: rlm_eap: Identity does not match
> User-Name, setting from EAP Identity.

  Your supplicant is broken.  The two fields should match.

  Or, you're editing the User-Name.  Don't do that.

> Is there something wrong in our configurations?
> Is tit normal that there is no User-Password attribute in Access-Request
> packet?

  Yes.  This is how EAP works.

  Alan DeKok.

More information about the Freeradius-Users mailing list