PAM authentication not working

Phil Mayers p.mayers at
Sat Feb 9 11:31:59 CET 2013

On 02/08/2013 11:42 PM, Jaap Winius wrote:
> Quoting Alan DeKok <aland at>:
>> No.  You can't turn off EAP.  The client is sending EAP to the server.
>> You need to change the client.  And likely you can't, because it
>> *needs* to do EAP.
> Indeed, the key_mgmt attribute in my wpa_supplicant.conf is set to
> WPA-EAP and it looks like that's my only option. But, if you're correct,
> then how is this supposed to work? You make it sound like a catch-22.

The choice of authentication algorithm (EAP) and any EAP-type are made 
client side.

Different EAP types have different requirements, in terms of what data 
you need to successfully authenticate a user - see here:

PAM, as noted at the 2nd link, s an "oracle" that can *only* be used to 
authenticate PAP, and therefore EAP-TTLS/PAP.

Your client is doing EAP-TTLS/EAP-MD5.

You have two choices:

  1. Reconfigure the client to do EAP-TTLS/PAP, which PAM will be able 
to authenticate
  2. Stop using PAM, and provide the server with the client credentials 
in a form compatible with your EAP-type (see 1st URL above)

These are your only options.

More information about the Freeradius-Users mailing list