free radius setup
p.mayers at imperial.ac.uk
Wed Sep 11 14:28:33 CEST 2013
On 11/09/13 12:05, stefan.paetow at diamond.ac.uk wrote:
>> The alternative is getting your users to install something like
>> SecureW2 (which I believe requires a license now), and using
>> EAP-TTLS- PAP which submits the users password in plaintext, or I
>> believe more recent flavours of Windows support EAP-TTLS too.
> If I remember correctly, when using EAP-TTLS-PAP, the top-level
> default_eap_type should be "ttls", and then the default_eap_type in
> the TTLS section should be "gtc" (which uses PAP by default).
> AFAIK (and please correct me if I'm wrong), you cannot set the TTLS
> default_eap_type setting to PAP.
That's because EAP-TTLS/PAP doesn't use EAP on the inner tunnel. Just
PAP. So "default_eap_type" is irrelevant.
You support EAP-TTLS/PAP by ensuring PAP is working in the inner tunnel
- by populating a cleartext or hashed password and calling the "pap"
module in the authorize/authenticate section, or other more specialised
EAP-TTLS/EAP-GTC is a different thing.
More information about the Freeradius-Users