EAP-TTLS configuration with PAP inner

Colin Byelong c.byelong at ucl.ac.uk
Tue Feb 23 11:32:22 CET 2010


Hi

Thanks for the quck reply.
> Hi,
>
>    
>> We tend to use a anonymous at realm identity for the EAP outer ID, in our
>> current radius server this is defined in a users file and has the format
>> of anonymous Encrypted-Password=nevermatch is there a similar thing in
>> freeradius and where should this be defined ?
>>      
> IIRC, this is just so that the user 'anonymous' is never treated as a real
> user so no real challenges regarding this ID are sent to the LDAP or SQL backend?
>
> We've never had to define an 'anonymous' username anywhere in FreeRADIUS
> config for this to not be a problem....basically, if you have anonymous at realm
> then FreeRADIUS suffic/realm/prefix code will note the realm part and proxy
> it through..and its its EAP it'll be proxied to the inner-tunnel (from then
> on the InnerID is what matters!)
>
>    
Thanks I will try and configure this.


>> In the eap.conf file under the ttls section it asks for "
>> default_eap_type = tls" if I am using a pap password for the inner that
>> comes from a ldap server should I comment this section out ? Or will the
>> server ignore it ?
>>      
> thats the default EAP type and hence the one that is initially challenged... if
> you want to optimize things then set it to you most commonly used method....we have
> it as 'peap' here but you'll be EAP-TTLS/PAP'ing? so that'd be 'ttls'
>
>    
I thought it should be ttls but I found this to be a little confusing

"The tunneled EAP session needs a default
                         #  EAP type which is separate from the one for
                         #  the non-tunneled EAP module.  Inside of the
                         #  TTLS tunnel, we recommend using EAP-MD5.
                         #  If the request does not contain an EAP
                         #  conversation, then this configuration entry
                         #  is ignored.

as I have  eap {
                          default_eap_type = ttls

Thanks

Colin

> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>    


-- 
-----------------------------------------------------------------------


Colin Byelong                             Email: C.Byelong at ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street                              Phone: 020 7679-2572
London WC1E 6BT
------------------------------------------------------------------------




More information about the Freeradius-Users mailing list