Help with EAP-TTLS and PAP
aland at deployingradius.com
Mon Nov 23 13:12:13 CET 2015
On Nov 23, 2015, at 5:19 AM, Hans Hering <hans.hering at outlook.com> wrote:
> I know this gets asked a lot and I spent quite a while searching for my use case, but I couldn't find anything that helped me.
> First a little bit about my setup:
> We have a Sun DS with salted SHA1 passwords, freeradius 3.0.10, Aruba IAP-225 access points and Windows and OS X clients.
> My goal is having the users log on to the WPA2 Enterprise wifi with their LDAP credentials and no client configuration whatsoever. This means I don't want to install network profiles on the Macs and no EAP-GTC plugins on the Windows machines.
> From what I've read, this should be possible with EAP-TTLS and inner PAP, as PAP can work with salted SHA1 passwords.
Yes. That's the best choice.
> However, in all the setup guides I looked at, it said the eap module should use default_eap_type = ttls in the outer section and default_eap_type = md5 in the ttls section and then PAP should be used.
No... EAP-MD5 isn't PAP. And PAP isn't an EAP type.
> I verified PAP is working and if I use EAP-TTLS with inner EAP-GTC my Macs can logon just fine.
> So my question is now: what am I doing wrong? Is inner EAP-MD5 correct? Is what I'm trying to do even possible?
Yes, it' s possible.
But you have to tell the end user machine to do TTLS+PAP. You can't set that on the server.
More information about the Freeradius-Users