more EAP/TTLS trouble

Aman Arneja arneja.aman at
Wed May 30 15:18:23 CEST 2012

Hi Steve
Microsoft supports EAP TTLS in our upcoming is release of Windows 8 . That
said PEAP MSChapv2 is as modern as an EAP TTLS and is a very widely and
simply deployed method. I have personally used the freeradius peap mschapv2
pretty much out of the box. As far as the certificate error you saw earlier
that was due to the nature of design of a modern secure authentication
method which gave supported security feature like Server Certificate
Validation enabled by default. If you just go through the net you will find
tonnes of peap mschapv2 working eap.conf's and I suggest you compare yours
to the ones available for the authentication to work. Also if you are
looking for ttls only you can test with the beta of windows 8 and become
one of our early adopters when it releases.

Thanx and Regards

Aman Arneja

Sent from my Windows Phone
From: Steve Hopps
Sent: 5/30/2012 6:23 PM
To: FreeRadius users mailing list
Subject: Re: more EAP/TTLS trouble

We're trying to use an access point configured for wpa2 using freeradius to
authenticate with openldap. For Android and Linux it works out of the box
with eap/ttls and pap. So we used Pam cause it already works with ldap. I
didn't know other encryption types wouldn't work with Pam.

IPhones work with a custom config profile that's easily installed. However,
our most significant hurdle is windows machines. Who would have guessed???
For some stupid reason Microsoft doesn't care about supporting all modern
encryption standards. Making our staff pay for SecureW2 isn't an option and
XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying
to get mschapv2 working with peap. This seems impossible.
 On May 30, 2012 2:43 AM, "Phil Mayers" <p.mayers at> wrote:

> On 05/29/2012 10:28 PM, Steve Hopps wrote:
>  So I'm confused, what's the right way to handle this situation?
> What situation?
> What are you trying to do?
> Alan has already hinted at the issue, but basically see here:
> ...and here:
> Whatever protocol you are running within TTLS, it's not PAP therefore not
> compatible with PAM-as-an-oracle.
> rlm_pam: Attribute "User-Password" is required for authentication.
> ++[pam] returns invalid
> PAM is being forced (I think) here:
> [files] users: Matched entry DEFAULT at line 222
> ...fix that line. Don't force PAM if you don't want or need it, and if you
> want/need it, pick compatible authentication.
> The Proxy-To-Realm comments in the default config files might be out of
> date; in general, obey what the debug says over ANY other advice, because
> it's coming from the actual code.
> -
> List info/subscribe/unsubscribe? See**
> list/users.html <>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list