Any interoperability issues with Aruba and Freeradius

Robert Franklin rcf34 at
Fri Feb 8 18:21:57 CET 2013

On 8 Feb 2013, at 16:31, Phil Mayers <p.mayers at> wrote:

> Was it Aruba who we had all the issues with terminating PEAP/TTLS locally on the controller, then transforming the inner EAP-MSCHAPv2 to plain MSCHAPv2 and mangling it? I seem to recall a flurry of posts to the list that were solved by turning all that off, but this was a couple of years ago.

Certainly when we first set up eduroam on our Aruba controllers back in the ArubaOS 3.x days (2007-8) we had issues with local EAP termination.

A colleague set this up and I don't think he would have ticked the box to do it, so I assume it was there by default.  We disabled it back then and have never had trouble since -- but our configuration has been gradually ported through upgrades from 3.x to 5.x to 6.x, so we may have migrated that change.

However, a test controller I have running 6.x doesn't have EAP termination enabled and I think I didn't explicitly configure that, so it may have changed as a default since 3.x.

The setting is probably in the "default" dot1x authentication profile:

  (aruba) # show aaa authentication dot1x default | include Termination
  Termination                                                Disabled
  Termination EAP-Type                                       N/A
  Termination Inner EAP-Type                                 N/A

... if that says "Enabled" you can turn it off:

  (aruba) (config)# aaa authentication dot1x default
  (aruba) (config ...)# no termination enable

... the help for that option says "Default is disabled" in ArubaOS

If you want to offload (as you've just mentioned in your further email), then EAP-TTLS is not an option:

  (aruba) (802.1X Authentication Profile "default") #termination eap-type ?
  eap-peap                Select EAP-PEAP as the authentication protocol
  eap-tls                 Select EAP-TLS as the authentication protocol

FWIW, we have provided eduroam on ArubaOS 3.x, 5.x and 6.x talking to FreeRADIUS 2.x (with a PostgreSQL backend for passwords, not an AD) for years with this and support EAP-TTLS/xxx without problems*, although most of our users use EAP-PEAP but we don't do any offloading (I'm not sure why you'd want to, unless your RADIUS backend doesn't support the desired methods - but FreeRADIUS does).

  - Bob

* there is one problem that FreeRADIUS doesn't return the inner ID into the outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is nothing Aruba-specific and probably a configuration error in FreeRADIUS on our part.

 Bob Franklin <rcf34 at>              +44 1223 748479
 Network Division, University of Cambridge Computing Service

More information about the Freeradius-Users mailing list