MSCHAPV2 authenticate including the suffix

Alan DeKok aland at
Thu Jun 12 16:05:35 CEST 2014

Dean Goldhill wrote:
> I have attached 2 debug outputs,
> 1- using domain at user with TTLS & MSCHAPV2  (not EAP-MSCHAPV2) - does not work
> 2- using domain at user with TTLS & EAP-MSCHAPV2 - does work
> SO the issues is that when the username contains a suffix, using MSCHAPV2 (as opposed to EAP-MSCHAPV2) I get rejected.

  What client are you using?  My guess is that the client is putting one
user name into MS-CHAP, and a completely different one into EAP-MSCHAPv2.

  FreeRADIUS works with TTLS + MSCHAPv2, and TTLS + EAP-MSCHAPv2.  At
least for all clients I'm aware of.

  Alan DeKok.

More information about the Freeradius-Users mailing list