Cross platform secure login on wpa2

Matthew Newton mcn4 at
Wed Dec 14 17:46:15 CET 2016

On Wed, Dec 14, 2016 at 04:29:04PM +0000, Henti Smith wrote:
> Next I used the Edoroam freeradius for auth against kerberos guide on
> to setup kerberos authentication.

That says use FreeRADIUS version 2. Use version 3 instead, v2 is

> ./rad_eap_test -H localhost -S testing123 -u kerberos-test -p secret -P
> 1812 -e PEAP -m WPA-EAP

Noting that's PEAP, not TTLS.

> However if I remove the local user and add "DEFAULT Auth-Type = Kerberos"
> it stops working.

Well yes, Auth-Type in the outer isn't Kerberos, it's EAP.

Documentation everywhere says don't touch Auth-Type yourself. It
says that for a reason.

> When I then test without EAP, using
> radtest  kerberos-test secret localhost 0 testing123
> It's working.

Because you set Auth-Type to Kerberos.

> What am I missing or not getting about getting them to work together to
> allow users to log into the wireless with existing user/pass but encrypted ?

Don't touch Auth-Type. FreeRADIUS can generally figure it out on
its own.

And if you're then still stuck, post a full debug output from
'radiusd -X' to the list.

eapol_test from the wpasupplicant project is your friend here for
testing EAP-TTLS/PAP.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list