proxy incoming PAP request as outgoing PEAP/TTLS requests

Alan DeKok aland at
Tue Sep 22 03:01:43 CEST 2015

On Sep 21, 2015, at 8:57 PM, Ian Chang-張志邦 <Ian.Chang at> wrote:
> This is exactly we would like to do.
> captive portal ------PAP-----> freeradius server ----PEAP/TTLS------> another radius server


> As you said, it is a dangerous thing to accept PAP and it is not enabled on NPS by default.

  That isn't true.

> Hence, we would like to proxy the PAP requests as PEAP/TTLS requests.
> It is better that we could authenticate with the upstream server in the tunnel.

  No.  That's not true, either.

  The whole point of EAP is that NO ONE outside of the end user, and home server know what the password is.  The access point doesn't know it.  The intermediate proxies don't know it.

  Since the captive portal already sees the PAP password, adding EAP is useless.  It's *worse* than useless because it's adding complexity for no benefit.

  This is like saying "locks as good.  But my house is old, and doesn't have a lock on the front door.  So I'll put a lock on the floor beside my bed.  That will help!"

  No, it won't help.

  Alan DeKok.

More information about the Freeradius-Users mailing list