EAP-TTLS configuration with PAP inner

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Tue Feb 23 10:52:47 CET 2010


> We tend to use a anonymous at realm identity for the EAP outer ID, in our 
> current radius server this is defined in a users file and has the format 
> of anonymous Encrypted-Password=nevermatch is there a similar thing in 
> freeradius and where should this be defined ?

IIRC, this is just so that the user 'anonymous' is never treated as a real
user so no real challenges regarding this ID are sent to the LDAP or SQL backend?

We've never had to define an 'anonymous' username anywhere in FreeRADIUS
config for this to not be a problem....basically, if you have anonymous at realm
then FreeRADIUS suffic/realm/prefix code will note the realm part and proxy
it through..and its its EAP it'll be proxied to the inner-tunnel (from then
on the InnerID is what matters!)

> In the eap.conf file under the ttls section it asks for " 
> default_eap_type = tls" if I am using a pap password for the inner that 
> comes from a ldap server should I comment this section out ? Or will the 
> server ignore it ?

thats the default EAP type and hence the one that is initially challenged... if
you want to optimize things then set it to you most commonly used method....we have
it as 'peap' here but you'll be EAP-TTLS/PAP'ing? so that'd be 'ttls'


More information about the Freeradius-Users mailing list