debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails

Martin Kraus lists_mk at
Thu Aug 22 10:50:47 CEST 2013

On Wed, Aug 21, 2013 at 11:45:11PM +0100, Matthew Newton wrote:
> If that's all you're doing, forget about PEAP and just go for
> straight EAP-TLS. All PEAP really gives you on top is the SoH
> support, and may cause problems with other non-Windows clients.
> EAP-TLS should work on more devices.

I'm still hoping I'll be able to use the outer and inner TLS for privacy
reasons and because right now the radius configuration is doing what I want
and merging default and inner-tunnel servers would make the configuration
even uglier then it already is:-)
> Some devices you'll be stuck with PEAP/MSCHAPv2 though (or
> TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't
> do EAP-TLS.
> You do realise that EAP-TLS is certificate based, not
> user/password? So you need a full certificate management system to
> go with it as well to issue certs to your users. You can't get
> user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still
> certificate (machine auth) only.

Yes, all our users have a certificate issued for our internal wifi so that's 
not a problem. I'm actually hoping to phase out passwords for network logons.
> My advice would be to stick with PEAP/EAP-MSCHAPv2 and use
> deployment tools to get the devices configured correctly.

We don't have control over the client devices. We just have to hope that the
users know what to do and what their devices are doing. 

The main problem is that I'm currently not allowed to go on with a migration
to 802.1x until the mschap problem is solved. 


More information about the Freeradius-Users mailing list