Cross platform secure login on wpa2

Stefan Paetow Stefan.Paetow at
Thu Dec 15 13:55:09 CET 2016

> However if I remove the local user and add "DEFAULT Auth-Type = Kerberos"
> it stops working.


If you're using Kerberos as password oracle, you need to set the inner tunnel authentication for EAP to PAP. If your systems require that only EAP methods are used in the inner tunnel, you're probably best off using 'gtc' as the inner (which means EAP-GTC, which is Generic Token Card, which is PAP).

Let's assume that PAP is sufficient. In the *inner-tunnel* file you'll need some changes in the following sections:

1. In the authorize section insert the following *after* 'pap':

if (User-Password) {
    update control {
        Auth-Type = Kerberos

2. In the authenticate section, change the "Auth-Type PAP { ... }" stanza to:

Auth-Type PAP {
#    pap

Add the following to the authenticate section:

Auth-Type Kerberos {

This should call Kerberos with the given password and username depending on whether the EAP inner method is set to PAP (via GTC) or Kerberos depending on what was fed in.


Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at
skype: stefan.paetow.janet

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

More information about the Freeradius-Users mailing list