Could use some help setting up freeradius ttls-pap with ldap backend serving NT-passwords

Alan DeKok aland at
Mon Jan 5 21:14:06 CET 2015

On Jan 5, 2015, at 2:24 PM, Arjan Sinnige <arjan at> wrote:
> Currently our small school is running a mac osx tiger file/web server with radius slapped onto it.
> As the server is getting old, I’ve been asked to configure a new server. (Dell 720 running Ubuntu 14.10.) Clients are numerous formats (BYOD) but mainly osx and windows machines. Testing virtually at home atm. The Apache, LDAP and Samba part are fine for me. But freeradius is really tough.. Can use some help.
> Trying to get a EAP-TTLS with PAP working, as that was what we had before. Users are supposed to login with their username and password. No user certificates.

  That should be simple.  Follow my guide:

  It gives full instructions for getting TTLS to work.

> Doing a pap or mschap from server terminal is fine, which means the connection to ldap seems to be working. Doing TTLS-PAP from android phone gives errors.
> The mailing list won’t allow me to post my full config and output. (>100KB) so I’ve put it up at a website :

  We don’t need the config.  Just the debug output.
> So LDAP seems ok.

  That’s good.

> But doing a EAP-TTLS-PAP produces results below :
> Should I change something in the EAP.conf file ?

  No.  The defaults are fine.

  You *do* need to edit raddb/sites-enabled/inner-tunnel, and enable “ldap”.  Just like you did with raddb/sites-enabled/default.

> [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request

  That’s a problem with the access point.  The access point is SUPPOSED to send a “State” attribute in the packet.  It’s not doing that.

  Throw your access point in the garbage, and buy one that works.

  Alan DeKok.

More information about the Freeradius-Users mailing list