more EAP/TTLS trouble

Steve Hopps steve.hopps at
Tue May 29 23:28:07 CEST 2012

But according to the configuration file:

 #  The "suffix" module takes care of stripping the domain
        #  (e.g. "") from the User-Name attribute, and the
        #  next few lines ensure that the request is not proxied.
        #  If you want the inner tunnel request to be proxied, delete
        #  the next few lines.
        update control {
               Proxy-To-Realm := LOCAL

So I'm confused, what's the right way to handle this situation?

On Tue, May 29, 2012 at 4:00 PM, alan buxey <A.L.M.Buxey at> wrote:
> Hi,
>> certificate errors. What could the windows machine be doing different?
>> Why does the machine even enter the picture when the authentication is
>> between the Access Point and the server?
> authentication is between the client and the server - mediated over 802.1X
> by the Access point. thats why your client has a supplicant on it..
>> Below is the portion of the log which shows the rejection, when using
>> my Android phone, TTLS and MSCHAPv2 (that is what Windows uses isnt
>> it?) Where I am confused is near the bottom, what is causing the
>> rejection?
> Win7 will be EAP-PEAPv0/MSCHAPv2
>> ++[pam] returns invalid
> user/pass in pam?
>> WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist!
>>  Cancelling invalid proxy request.
> thats kind of a big clue. dont do that. it breaks things. just define
> the realm in proxy.conf with no place eg
> realm {
> }
>> rlm_pam: Attribute "User-Password" is required for authentication.
> you've forced the server to use PAM?  MSCHAPv2 doesnt provide 'User-Password'
> so wont work.
> what ARE you trying to do?
> alan
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list