Getting EAP-TTLS/TLS working

Alan DeKok aland at
Tue Feb 11 19:06:11 CET 2014

greg.huber wrote:
> I few releases back we had EAP-TTLS/TLS working (maybe 2 years ago??)
> Since then it has stopped and I am having trouble finding the root cause.
> Protocols like EAP-TLS and EAP-TTLS/MSCHAPV2 are working, and I verified
> the certificates and keys.

  It should work, though I haven't tested it recently.

> I have attached the output from 'radiusd -X' below.  I see a lot of posts have
> a nice condensed dump of the configuration, if someone could tell me how
> to get the dump I will attach it also.

  "radiusd -X".  It will print out the configuration it reads.

> Near the end is the statement:
> [ttls] WARNING: diameter2vp skipping long attribute 3005705648, attr

  Hmm... that's wrong.  It looks like your C compiler is broken.  Which
OS / C compiler are you using?  What supplicant are you using?

> I found this in the source code but am not sure if is is part of the problem
> or just a non-fatal warning.

  The debug log shows it's the cause of the error.  The supplicant is
sending some weird non-EAP data inside of the tunnel.

  This is one case where you should run "radiusd -Xx", do the
authentication, and post it to the list.  The extra "x" will cause the
server to print out a hex dump of the data inside of the tunnel.  That
will help us figure out what's going wrong.

  You don't need to post all of the debug output.  Just the line:

[ttls] Session established.  Proceeding to decode tunneled attributes.

  and then the hex dump, which should be shortly after that.

  Alan DeKok.

More information about the Freeradius-Users mailing list