EAP-TTLS not working
Marlen Caemmerer
caemmerer at ash-berlin.eu
Thu Nov 3 08:55:43 CET 2016
Hi,
yes I tried to use a TTLS-PAP profile and it worked without any
reconfiguration.
I dont like the thought of having weak passwords in LDAP at all and on
the other hand TLS on radius clients can also not be made 100% secure.
So I guess my next steps is to go for client certs for the people with a
lot of permissions on systems.
With kind regards,
Marlen Caemmerer
Am 2016-11-03 08:40, schrieb Stefan Winter:
> Hi,
>
>> As far as I understand MacOS tries to use MS-CHAPv2 and this does not
>> seem to work.
>
> IIRC, Apple changed the TTLS default inner method away from PAP to
> EAP-MSCHAPv2 (not just MSCHAPv2) a few releases back.
>
> If you want an inner of (non-EAP)PAP then you have to tell the Mac and
> iOS devices with a .mobileconfig configuration file.
>
> Or you re-configure your FreeRADIUS to support MSCHAPv2 instead, if you
> have NT-Hashes or cleartext of the passwords of your users.
>
> If you want to generate .mobileconfig files and also config files for
> lots of other platforms all in one go, try https://802.1x-config.org [1]
Links:
------
[1] https://802.1x-config.org
More information about the Freeradius-Users
mailing list