Cross platform secure login on wpa2

Matthew Newton mcn4 at
Thu Dec 15 00:18:13 CET 2016

On Wed, Dec 14, 2016 at 09:36:18PM +0000, Henti Smith wrote:
> > > However if I remove the local user and add "DEFAULT Auth-Type = Kerberos"
> > > it stops working.
> >
> > Well yes, Auth-Type in the outer isn't Kerberos, it's EAP.
> >
> > Documentation everywhere says don't touch Auth-Type yourself. It
> > says that for a reason.
> >
> I did use the guide at which did state to
> add it. I've removed it.

I'm not entirely familiar with using Kerberos, and it may be one
where you need to set Auth-Type in certain circumstances. But you
definitely don't want to be doing it there because the users file
is read in both the outer and inner virtual servers, and the outer
is EAP.

You *might* need to do

  update control {
    Auth-Type := Kerberos

in your inner-tunnel virtual server authorize section. 

But if you're doing Kerberos for all PAP requests then you should
be able to forget this and change the "pap" line into:

  Auth-Type PAP {

in the inner-tunnel authenticate section instead. i.e. if the pap
module has recognised the auth request, then authenticate it with

> > > When I then test without EAP, using
> > >
> > > radtest  kerberos-test secret localhost 0 testing123
> > >
> > > It's working.
> >
> > Because you set Auth-Type to Kerberos.
> As per above, removed and now neither methods work.

This is why we ask for the full radiusd -X debug output....

Trying to debug blind is rather difficult and annoying. :(

> > eapol_test from the wpasupplicant project is your friend here for
> > testing EAP-TTLS/PAP.
> >
> Thanks for the heads up, will try again. the rad_eap_test is a nagios
> wrapped around eapol_test.

OK, should be good then.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list