howto EAP-TLS on freeradius 2.0.2-3 ??

Joel MBA OYONE mba_oyone at
Wed May 7 14:39:33 CEST 2008


i think i really missed something! that config should take less than 15 minutes but i can't solve my problem for more than a week.

Alan or Ivan, could you give me a half our to help me to fix my RADIUS EAP-TLS config please. i would like to give you a full access to my network and my terminal too, so the diagnostic should be very very easy for you!
is it possible?

Lot. El Firdaous
Bât GH20, Porte A 204, Appt 8
20000 Oulfa
Casablanca - Maroc
Tél. : +212 69 25 85 70

----- Message d'origine ----
De : Alan DeKok <aland at>
À : FreeRadius users mailing list <freeradius-users at>
Envoyé le : Lundi, 5 Mai 2008, 17h18mn 10s
Objet : Re: Re : howto EAP-TLS on freeradius 2.0.2-3 ??

Joel MBA OYONE wrote:
> The VLAN attributes defined in RFC3580 are as follows:
> •   Tunnel-Type=VLAN (13)
> •   Tunnel-Medium-Type=802
> •   Tunnel-Private-Group-ID=VLANID
> NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6, which
>         is why client entries use 6 for the Tunnel-Medium-Type value.

  No.  For Tunnel-Medium-Type, "802" is a *name*, not a *number*.    See
Section 3.2 of RFC 2868:

      The Value field is three octets and contains one of the values
      listed under "Address Family Numbers" in [14].  For the sake of
      convenience, a relevant excerpt of this list is reproduced below.

   1      IPv4 (IP version 4)
   2      IPv6 (IP version 6)
   3      NSAP
   4      HDLC (8-bit multidrop)
   5      BBN 1822
   6      802 (includes all 802 media plus Ethernet "canonical format")

  FreeRADIUS gets it *right*.  Many NAS vendors get it *wrong*.

> To create a user and assign the user to a particular VLAN by using FreeRADIUS, open the
> etc/raddb/users file, which contains the user account information, and add for the new user.
> The following example shows the entry for a user in the users file. The username is
> “johndoe,” the password is “test1234.” The user is assigned to VLAN 77.
> johndoe Auth-Type: = EAP, User-Password == “test1234"
>           Tunnel-Type = 13,
>           Tunnel-Medium-Type = 6,

  Or:  Tunnel-Medium-Type = IEEE-802
> in both cases, it stays on "IDENTITY VALIDATION" in xp wireless management and sometime i receive the right ip adresss in the right IP Pool. ut lost it immediately, maybe cause of the repeating cycle of athentication sequence.
> AND, the client certificate, signed by the Server (not the CA root) is still with the same message.
> hope it would be helpfull !!

  Arg.  Microsoft keeps putting magic nonsense into their OS's to make
it difficult to use non-Microsoft RADIUS servers.

  And yes, this *is* a problem even inside of Microsoft!  So if you're
finding it a PITA to get it working, rest assured that Microsoft does, too.

  Alan DeKok.
List info/subscribe/unsubscribe? See

Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités Yahoo! Mail 

More information about the Freeradius-Users mailing list