'Attribute "User-Password" is required for authentication.' (EAP/TTLS/RADIUS/PAM)

Alan DeKok aland at deployingradius.com
Wed Jun 11 22:01:01 CEST 2008

sth wrote:
> Hi folks,

  Posting huge amounts of configuration files to the list isn't necessary.

> My NAS is talking to the FR instance (being run in "-X" debug mode, of
> course), but the NAS doesn't appear to be sending the "User-Password"
> attribute that FR is expecting.

  No.  It's sending EAP-Message.  This is how RADIUS works.

> What I'm going for, here, is EAP/TTLS.
> I've synthesized a few HOWTOs* to arrive at my current configuration,
> which is attached in the form of my (sanitized) radiusd.conf,
> clients.conf, and eap.conf, as well as /etc/pam.d/radiusd.

  Why?  Which part of the documentation said this was a good idea?

> Also attached are a few sample conversations as seen from the
> perspective of FR using a user that's active in PAM
> (radiusd-X_actual_eap_client.txt and radiusd-X_radeapclient.txt), AND
> one using an account that's local at FR, i.e., in the /etc/raddb/users
> file (radiusd-X_testuser_actual_eap_client.txt).

  Ugh.  More "I tried random things and I'm not sure what they did, or
why they didn't work".

> My test case will eventually include Windows XP Pro, Vista Business, and
> Mac OS X 10.4 specimens, but for now I'm using only Mac OS X 10.5, as it
> seems to have very flexible native support for mucking with 802.1x
> settings.

  The version of FreeRADIUS you're running won't work with Vista.
Upgrade to 2.0.5.

> I did see mention of a similar symptom in my searches, and a few
> (including this one[2]) suggested that a fix was forthcoming in 1.1.5.
> By way of attempting this, I tried rolling my own 2.0.5 instance of FR,
> but it had the same problem.

  Similar symptom of... what?  Are we supposed to read thousands of
lines of debug output, from 6 different runs, and no explanation of what
you're trying to do?

  The method you're using to ask for questions on the list explains why
this is such a hard problem to solve.  You're not starting off with the
default configs.  You're not following the examples.  You're trying tons
of different things at random to see if they work.  And you expect
someone here to work through it, figure out what you mean, and solve the

  Umm... no.

> In any case, this seems to be one of the more common errors for people
> attempting 802.1x auth via RADIUS, and since there are so many different
> scenarios cited by the posts I'm finding,

  So you're reading random posts on the net, rather than the
documentation that comes with the server.  <sigh>.

  The documentation that comes with the server explains a lot.  The Wiki
has more documentation.

> I hoped that the knowledgeable
> ~ among you might analyze and comment on my configuration. I can provide
> further information and diagnostic output upon request.

  No.  Start off with 2.0.5.  Read the FAQ.  Add a known user, as given
by the example in the FAQ.  Un-check "validate server cert" on the
Windows box.

  PEAP will work.

  It's that easy.

  Oh, and PAM isn't a useful authentication method for wireless.  See my
web page:  http://deployingradius.com/documents/protocols/oracles.html

  Alan DeKok.

More information about the Freeradius-Users mailing list