Help with EAP-TTLS and PAP

Alan DeKok aland at
Mon Nov 23 13:12:13 CET 2015

On Nov 23, 2015, at 5:19 AM, Hans Hering <hans.hering at> wrote:
> I know this gets asked a lot and I spent quite a while searching for my use case, but I couldn't find anything that helped me.
> First a little bit about my setup:
> We have a Sun DS with salted SHA1 passwords, freeradius 3.0.10, Aruba IAP-225 access points and Windows and OS X clients.
> My goal is having the users log on to the WPA2 Enterprise wifi with their LDAP credentials and no client configuration whatsoever. This means I don't want to install network profiles on the Macs and no EAP-GTC plugins on the Windows machines.
> From what I've read, this should be possible with EAP-TTLS and inner PAP, as PAP can work with salted SHA1 passwords.

  Yes.  That's the best choice.

> However, in all the setup guides I looked at, it said the eap module should use default_eap_type = ttls in the outer section and default_eap_type = md5 in the ttls section and then PAP should be used.

  No... EAP-MD5 isn't PAP.  And PAP isn't an EAP type.

> I verified PAP is working and if I use EAP-TTLS with inner EAP-GTC my Macs can logon just fine.
> So my question is now: what am I doing wrong? Is inner EAP-MD5 correct? Is what I'm trying to do even possible?

  Yes, it' s possible.

  But you have to tell the end user machine to do TTLS+PAP.  You can't set that on the server. 

  Alan DeKok.

More information about the Freeradius-Users mailing list