eduroam PEAP + TTLS

Jean-Philippe Ghibaudo legdf at
Fri Jun 18 09:56:33 CEST 2010

> Date: Thu, 17 Jun 2010 22:14:45 +0100
> From: A.L.M.Buxey at
> To: freeradius-users at
> Subject: Re: eduroam PEAP + TTLS
> Hi,

Hi thank you very much for you quick answer !

> > I'm trying to implement PEAP-MSCHAPV2 support in an existing and working configuration with EAP-TTLS + PAP,
> > giving users a full support of eduroam. There are proxy radius maintained by our national "provider", and they test
> > authentication every 15 minutes.
> > 
> > When they only test EAP-TTLS authentication, it works, and this is a part of the output of freeradius -X.
> can I ask a quick question. do you need/want your own users to use PEAP....whether
> you choose to use EAP-TTLS/PAP or PEAP/MSCHAPv2 is up to you for your users....a visitor
> to your site should be able to use PEAP if their home site supports it as your FreeRADIUS
> boxes will just proxy the request to the national proxies.
> I'm not sure why the central test should be forcing you to support all types of EAP - it
> should only check that you are working for the EAP methods that you, as an IdP support.

I need my own users to use PEAP because on Windows client, there is no support of EAP-TTLS without installing a soft to implement it.
And I want to use Active Directory because I can't use actual password field in OpenLDAP with PEAP.
Otherwise you're right, this is how eduroam works.

> > } # server inner-tunnel
> > [ttls] Got tunneled reply code 2
>   ^^^^^^ 
> eh? I thought you said this second test was a PEAP test.  are you sure it is as
> this looks very much like an EAP-TTLS/MSCHAPv2 test

That's right, whereas before, I've got this line :
Login OK: [user/<via Auth-Type = mschap>] (from client proxyradius
 port 0 cli 02-00-00-00-00-01 via TLS tunnel)
Which occurs after these lines :
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for user at realm with NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[mschap]        expand: --username=%{Stripped-User-Name:-%{mschap:User-Name:-None}} -> --username=user
[mschap]  mschap2: d6
[mschap]        expand: --challenge=%{mschap:Challenge:-00} -> --challenge=45d29cf49c25ed29
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=6c2dbac31a48ddf0cbf4a1c8e6c5c1262ec6b8f77bb9ae46
Exec-Program output: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F
Exec-Program-Wait: plaintext: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F
Exec-Program: returned: 0
++[mschap] returns ok

So, I suppose that it's really a PEAP-MSCHAPV2 test. Maybe I've made something wrong in the order of Auth-Type in my conf files ?

> > Sending Access-Challenge of id 9 to port 35055
> >         User-Name = "user at realm"
> >         EAP-Message = 0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38
> >         Message-Authenticator = 0x00000000000000000000000000000000
> >         State = 0xcda13382c4ab2647095b27820a4b1850
> theres plenty in the FreeRADIUS docs about 'why do I not get anything after an Access-Challenge'
> - usually down to certs.

I've already added my certs in the Active Directory, as it's said in eap.conf and that solved the problem for PEAP-MSCHAPV2. So now, I can use
default PEAP options in the native wpa supplicant on Windows and that works.

I'm gonna look for more about this.

> alan

Vous voulez regarder la TV directement depuis votre PC ? C'est très simple avec Windows 7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list