EAP-TTLS-PAP Doesn't send Clear-Password to proxy-innter-tunnel

Alan DeKok aland at deployingradius.com
Wed Aug 3 19:12:23 CEST 2016

On Aug 3, 2016, at 11:39 AM, Mehran Meidani <m.meidani at me.com> wrote:
> I have a home server which only supports pap. FreeRADIUS were configured to establish eap-ttls-pap and then proxy the inner request to my home server. Although It configured to use pap but it doesn’t send user clear-text-password to my home server.

  You don't configure FreeRADIUS to use PAP.  You configure the EAP supplicant (Windows PC, iPhone, etc.) to do TTLS + PAP.

> Here is the output of freeradius -X:

  As always, reading it helps.
> (5) eap_ttls: Session established.  Proceeding to decode tunneled attributes
> (5) eap_ttls: Got tunneled request
> (5) eap_ttls:   EAP-Message = 0x0200001b016e6564612e64697673616c61724075742e61632e6972
> (5) eap_ttls:   FreeRADIUS-Proxied-To =
> (5) eap_ttls: Got tunneled identity of neda.divsalar at ut.ac.ir
> (5) eap_ttls: Sending tunneled request
> (5) Virtual server proxy-inner-tunnel received request
> (5)   EAP-Message = 0x0200001b016e6564612e64697673616c61724075742e61632e6972
> (5)   FreeRADIUS-Proxied-To =
> (5)   User-Name = "neda.divsalar at ut.ac.ir"

  See?  No User-Password inside of the tunnel.

  The supplicant is configured to do EAP inside of the TTLS tunnel.

  Fix the supplicant so that it does PAP.

  No amount of poking FreeRADIUS will make this work.

  Alan DeKok.

More information about the Freeradius-Users mailing list