Help with EAP-TTLS and PAP

Matthew Newton mcn4 at
Mon Nov 23 14:15:41 CET 2015

On Mon, Nov 23, 2015 at 11:19:49AM +0100, Hans Hering wrote:
> We have a Sun DS with salted SHA1 passwords, freeradius 3.0.10,
> Aruba IAP-225 access points and Windows and OS X clients.

What version of Windows?

> My goal is having the users log on to the WPA2 Enterprise wifi
> with their LDAP credentials and no client configuration
> whatsoever. This means I don't want to install network profiles
> on the Macs and no EAP-GTC plugins on the Windows machines.

A noble goal, but I'm afraid you're likely to be disappointed.

> From what I've read, this should be possible with EAP-TTLS and
> inner PAP, as PAP can work with salted SHA1 passwords. However,

Windows 7 and earlier can't do EAP-TTLS/PAP natively.

Pretty much the only options available by default on both are
EAP-TLS or PEAP/EAP-MSCHAPv2. The latter is ruled out if you have
passwords in SHA1, so you're just down to certificates. Which
requires provisioning on the clients.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list