OpenLDAP+FreeRadius Encryption

Greg Mischel Smith gregms at
Thu Feb 4 23:30:40 CET 2016

On Wed, Feb 3, 2016 at 12:02 PM, Michael Ströder <michael at> wrote:
> Greg Mischel Smith wrote:
>> I just know having OpenLDAP with plaintext
>> passwords just isn't an option (even with ACL's on them).
> Then the only possible method is EAP-TTLS with inner PAP independent of the
> RADIUS server. And it's not hard to setup.
Thank you for your suggestions/clarification Michael. I tested out
EAP-TTLS yesterday and today and I finally got something working.

Solution appears to be EAP-TTLS w/ GTC as the inner.
When I tried the default of PAP as the inner, I found that the devices
where were still trying to use mschapv2. However when GTC is set as
the ttls default, mschapv2 works whether it is commented out or not.

I've tested it on Mac, Android and iPhone and the only one that needed
adjusting was Android as I had to change from default of PEAP to TTLS.
I can leave the inner empty and it will auto choose GTC on Android. I
feel it is finally working as is (without many modifications to the
config), it is a very good feeling.

More information about the Freeradius-Users mailing list