Freeradius2 and OSX clients no TLS

James J J Hooper jjj.hooper at
Sun Mar 6 19:39:32 CET 2011

--On 6 March 2011 16:31:54 +0000 Guy <guy at> wrote:

> On 6 Mar 2011, at 13:03, Phil Mayers wrote:
>> On 03/05/2011 04:46 PM, Guy wrote:
>>> Hi,
>>> I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA
>>> Enterprise 2, and I have it basically working.  my iPhone/iPad are
>>> able to authenticate and connect via the base station.  However my
>>> Mac (OSX 10.6 Snow leopard) Laptops are having issues.
>>> I do not want to push out Client certificates to the laptops. I also
>>> do not want people to have to perform any customisations on the
>>> clients.
>>> When the laptop attempts to join the network I get a nice login
>>> window, with username/password. This is fine.  However without
>>> playing with the network settings (802.1x settings).  I'm not able to
>>> join the network because I do not have a client Cert:


> I changed "default_eap_type=md5" to  "default_eap_type=ttls" and now the
> Macs are able to authenticate without Certs or any configuration on their
> side!!

...remember though that working != secure [necessarily]. Clients defaulting 
to accept any radius server cert, or those that default to prompt the user, 
are vulnerable to rogue AP/credential stealing attacks etc. This may be 
acceptable in your environment, but if not, you'll still need to actively 
configure the client.


James J J Hooper
Network Specialist, University of Bristol

More information about the Freeradius-Users mailing list