Cross platform secure login on wpa2

Alan DeKok aland at
Mon Dec 19 16:31:28 CET 2016

On Dec 19, 2016, at 10:28 AM, Henti Smith <henti at> wrote:
> On 15 December 2016 at 12:55, Stefan Paetow <Stefan.Paetow at>
> wrote:

  Did you read this following paragraph?

>> If you're using Kerberos as password oracle, you need to set the inner
>> tunnel authentication for EAP to PAP. If your systems require that only EAP
>> methods are used in the inner tunnel, you're probably best off using 'gtc'
>> as the inner (which means EAP-GTC, which is Generic Token Card, which is
>> PAP).

  After which, you say:

> Authentication is still not working, but at least I'm now getting krb auth
> attempts, which fails due to 'Attribute "User-Password" is required for
> authentication'

  Go back and read Stefan's comments.  And read the debug output you posted to the list.  Do you see PAP in the inner-tunnel?  Or MS-CHAP?

  Alan DeKok.

More information about the Freeradius-Users mailing list