OpenLDAP+FreeRadius Encryption

Alan DeKok aland at
Tue Feb 2 17:17:47 CET 2016

> On Feb 2, 2016, at 11:06 AM, Greg Mischel Smith <gregms at> wrote:
>> Comment out mschap in your EAP config to disallow negotiation of mschap,
>> they'll try something else...

  That won't work.  :(

  You should set "default_eap_type"  to have the server start a particular EAP type.  The client *should* either start that EAP type, or NAK it with a list of supported EAP types.

  In this case, you set "default_eap_type = mschapv2", but deleted the "mschapv2" from the "eap" section.  That's confusing and wrong.  Don't do that.

> Happens on Android and Mac. I found that even if I set Android to use
> GTC, when I comment out the mschapv2 { } section in the eap config
> file, it fails.
> Looking at the debug on when it suceeds (without eapchapv2 commented
> out), it still uses eapchapv2 which makes me think that's why it
> fails.

  No.  You told the server to start with EAP-MSCHAPv2.  That's what it's doing.  The client is NAKing that, and asking for GTC.  Which should then work.

  But it's impossible to tell why it fails, because you didn't post the debug output where it fails.

  Alan DeKok.

More information about the Freeradius-Users mailing list