free radius setup

Phil Mayers p.mayers at
Wed Sep 11 14:28:33 CEST 2013

On 11/09/13 12:05, stefan.paetow at wrote:
>> The alternative is getting your users to install something like
>> SecureW2 (which I believe requires a license now), and using
>> EAP-TTLS- PAP which submits the users password in plaintext, or I
>> believe more recent flavours of Windows support EAP-TTLS too.
> If I remember correctly, when using EAP-TTLS-PAP, the top-level
> default_eap_type should be "ttls", and then the default_eap_type in
> the TTLS section should be "gtc" (which uses PAP by default).
> AFAIK (and please correct me if I'm wrong), you cannot set the TTLS
> default_eap_type setting to PAP.

That's because EAP-TTLS/PAP doesn't use EAP on the inner tunnel. Just 
PAP. So "default_eap_type" is irrelevant.

You support EAP-TTLS/PAP by ensuring PAP is working in the inner tunnel 
- by populating a cleartext or hashed password and calling the "pap" 
module in the authorize/authenticate section, or other more specialised 

EAP-TTLS/EAP-GTC is a different thing.

More information about the Freeradius-Users mailing list