eduroam PEAP + TTLS

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Thu Jun 17 23:14:45 CEST 2010


Hi,

> I'm trying to implement PEAP-MSCHAPV2 support in an existing and working configuration with EAP-TTLS + PAP,
> giving users a full support of eduroam. There are proxy radius maintained by our national "provider", and they test
> authentication every 15 minutes.
> 
> When they only test EAP-TTLS authentication, it works, and this is a part of the output of freeradius -X.

can I ask a quick question. do you need/want your own users to use PEAP....whether
you choose to use EAP-TTLS/PAP or PEAP/MSCHAPv2 is up to you for your users....a visitor
to your site should be able to use PEAP if their home site supports it as your FreeRADIUS
boxes will just proxy the request to the national proxies.

I'm not sure why the central test should be forcing you to support all types of EAP - it
should only check that you are working for the EAP methods that you, as an IdP support.


> } # server inner-tunnel
> [ttls] Got tunneled reply code 2
  ^^^^^^ 

eh? I thought you said this second test was a PEAP test.  are you sure it is as
this looks very much like an EAP-TTLS/MSCHAPv2 test

> Sending Access-Challenge of id 9 to 193.51.182.121 port 35055
>         User-Name = "user at realm"
>         EAP-Message = 0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xcda13382c4ab2647095b27820a4b1850

theres plenty in the FreeRADIUS docs about 'why do I not get anything after an Access-Challenge'
- usually down to certs.

alan



More information about the Freeradius-Users mailing list