Alan DeKok aland at deployingradius.com
Wed May 21 19:21:26 CEST 2008

Bram Matthys (Syzop) wrote:
> I'm using FreeRadius 2.0.3. I've seen several tutorials regarding
> Freeradius
> 1, which help, but they are a bit outdated, and are often using a different
> authentication method or protocol (like PEAP).

  TTLS with MS-CHAP2 is 99% like PEAP.

> I've verified ntlm_auth works on the command line.
> I've been following (among others)
> http://deployingradius.com/documents/configuration/active_directory.html
> Once this passed (i tested with radtest), I commented out both, because it
> was only for testing.


> Side note..I had set 'wait = no' previously, due to the tutorial mentioning
> that, but then the password was always correct even if I provided an
> incorrect one.

  Fixed, thanks.

> I've also been reading
> http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO by
> the way, and while it did help they use PEAP (w/mschapv2) so hmm.

  It should be the same.

> Anyway, back on track:
> I've taken the default radius configuration files (as of v2.0.3), and
> editted them..

  You should use 2.0.4, for a number of reasons.

>                 ttls {
>                         default_eap_type = mschapv2

  Are you using EAP-MSCHAPv2, or MS-CHAPv2?  See the comments above this
configuration entry in the default eap.conf file.

  You'll also need a raddb/sites-enabled/inner-tunnel file.  It's not
installed in 2.0.3.  This was fixed in 2.0.4.

> This is what I get using the 'rad_eap_test' tool.. since i'm working
> remotely I cannot use securew2 at the moment (if someone has another
> suggestion on how to check eap ttls w/mschapv2, let me know..

  eapol_test, which comes with wpa_supplicant.

  Install 2.0.4, which should help.

  Alan DeKok.

More information about the Freeradius-Users mailing list