EAP-TLS and EAP-TTLS/MSCHAPv2 in parralel...possible ?

Phil Mayers p.mayers at imperial.ac.uk
Fri Feb 28 10:53:17 CET 2014

On 28/02/14 09:11, Ben wrote:
> Hi,
> I've got a solution currently in place that works beautifully
> authenticating users with certificates using EAP-TLS.
> Unfortunatley, I need to start catering for users who have, shall we
> say, "limited" endpoints that only support TTLS/MSCHAPv2 type

This is a standard, even trivial, config. See:


...and follow the HOWTOs section.

Basically, if you have EAP-TLS working, it's likely that the only thing 
you need to do is ensure the server can get at the password or 
compatible hash (for MSCHAP, NT hash only) and it'll work.

Problem is you've been a bit vague. What have you tried, if anything? 
What version of the server are you running?

> will happen .... e.g. the following comment ....
>          # Note that this means "check plain-text password against
>          # the ldap database", which means that EAP won't work,
>          # as it does not supply a plain-text password.

That commend refers to forcing authentication via LDAP bind. If you 
don't do that, you won't have this problem.


  1. Ensuring you're on a recent version of the server, 2.2.3
  2. Follow the deployingradius docs linked above on a test server
  3. When you understand how it has all fit together, migrate the config 
to your production system, with your existing TLS CA/certs

As with all systems tasks, if you're new to it then make small changes, 
check your results into version control after each success, follow the docs.

If you've got specific questions, people can give more specific answers.

Good luck,

More information about the Freeradius-Users mailing list