EAP-TTLS not working

Marlen Caemmerer caemmerer at ash-berlin.eu
Thu Nov 3 08:55:43 CET 2016



yes I tried to use a TTLS-PAP profile and it worked without any

I dont like the thought of having weak passwords in LDAP at all and on
the other hand TLS on radius clients can also not be made 100% secure. 

So I guess my next steps is to go for client certs for the people with a
lot of permissions on systems. 

With kind regards, 

Marlen Caemmerer 

Am 2016-11-03 08:40, schrieb Stefan Winter: 

> Hi,
>> As far as I understand MacOS tries to use MS-CHAPv2 and this does not
>> seem to work.
> IIRC, Apple changed the TTLS default inner method away from PAP to
> EAP-MSCHAPv2 (not just MSCHAPv2) a few releases back.
> If you want an inner of (non-EAP)PAP then you have to tell the Mac and
> iOS devices with a .mobileconfig configuration file.
> Or you re-configure your FreeRADIUS to support MSCHAPv2 instead, if you
> have NT-Hashes or cleartext of the passwords of your users.
> If you want to generate .mobileconfig files and also config files for
> lots of other platforms all in one go, try https://802.1x-config.org [1]

[1] https://802.1x-config.org

More information about the Freeradius-Users mailing list