more EAP/TTLS trouble
Steve Hopps
steve.hopps at gmail.com
Wed May 30 14:44:50 CEST 2012
We're trying to use an access point configured for wpa2 using freeradius to
authenticate with openldap. For Android and Linux it works out of the box
with eap/ttls and pap. So we used Pam cause it already works with ldap. I
didn't know other encryption types wouldn't work with Pam.
IPhones work with a custom config profile that's easily installed. However,
our most significant hurdle is windows machines. Who would have guessed???
For some stupid reason Microsoft doesn't care about supporting all modern
encryption standards. Making our staff pay for SecureW2 isn't an option and
XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying
to get mschapv2 working with peap. This seems impossible.
On May 30, 2012 2:43 AM, "Phil Mayers" <p.mayers at imperial.ac.uk> wrote:
> On 05/29/2012 10:28 PM, Steve Hopps wrote:
>
> So I'm confused, what's the right way to handle this situation?
>>
>
> What situation?
>
> What are you trying to do?
>
> Alan has already hinted at the issue, but basically see here:
>
> http://deployingradius.com/**documents/protocols/oracles.**html<http://deployingradius.com/documents/protocols/oracles.html>
>
> ...and here:
>
> http://deployingradius.com/**documents/protocols/**compatibility.html<http://deployingradius.com/documents/protocols/compatibility.html>
>
> Whatever protocol you are running within TTLS, it's not PAP therefore not
> compatible with PAM-as-an-oracle.
>
> rlm_pam: Attribute "User-Password" is required for authentication.
> ++[pam] returns invalid
>
> PAM is being forced (I think) here:
>
> [files] users: Matched entry DEFAULT at line 222
>
> ...fix that line. Don't force PAM if you don't want or need it, and if you
> want/need it, pick compatible authentication.
>
> The Proxy-To-Realm comments in the default config files might be out of
> date; in general, obey what the debug says over ANY other advice, because
> it's coming from the actual code.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120530/794c9727/attachment.html>
More information about the Freeradius-Users
mailing list