more EAP/TTLS trouble

Alan DeKok aland at
Wed May 30 14:52:41 CEST 2012

Steve Hopps wrote:
> We're trying to use an access point configured for wpa2 using freeradius
> to authenticate with openldap. For Android and Linux it works out of the
> box with eap/ttls and pap. So we used Pam cause it already works with
> ldap. I didn't know other encryption types wouldn't work with Pam.

  This confuses me.  Why use PAM when FreeRADIUS can use LDAP directly?

> IPhones work with a custom config profile that's easily installed.
> However, our most significant hurdle is windows machines. Who would have
> guessed??? For some stupid reason Microsoft doesn't care about
> supporting all modern encryption standards. Making our staff pay for
> SecureW2 isn't an option and XSupplicant doesn't work reliably yet in
> 64bit Win7. So I'm back to trying to get mschapv2 working with peap.
> This seems impossible.

  It's possible.  It's easy.

  (a) configure FreeRADIUS to query LDAP directly

  (b) ensure that the passwords in LDAP are stored in a format
compatible with MS-CHAP.

  If you can do both, then getting PEAP to work should be trivial.

  In 2.1.2, you can use "radclient" to send MS-CHAP requests to the
server.  Don't even THINK of trying to get PEAP to work until you have
plain old MS-CHAP working.

  Alan DeKok.

More information about the Freeradius-Users mailing list