EAP-TTLS not working
Alan DeKok
aland at deployingradius.com
Thu Oct 27 14:14:58 CEST 2016
On Oct 27, 2016, at 6:49 AM, Marlen Caemmerer <caemmerer at ash-berlin.eu> wrote:
> I upgraded to 3.0.12 and got debug output as attached.
>
> It seems strange that Windows 8 and 10 are able to connect while MacOS
> and Linux aren't.
>
> As far as I understand MacOS tries to use MS-CHAPv2 and this does not
> seem to work.
>
> It seems my perl auth script does not get a password through while using
> mschapv2.
Because MS-CHAPv2 doesn't supply a password.
The simple answer is that you should give the password to FreeRADIUS, and let FreeRADIUS authenticate the user. You shouldn't write a Perl script to do the authentication.
> The perl script is for a custom type of authentication only.
It will only work for PAP authentication.
> I have difficulties understanding what inner and outer identity are. Do
> you have a good hint on what to read to fully understand this?
In short, EAP-TTLS and PEAP set up a TLS connection between the PC and the RADIUS server. Authentication normally requires a name, so that is the "outer' one. When the TLS session is set up, the *real* name and password are sent inside of the TLS connection. That is the "inner" identity.
Alan DeKok.
More information about the Freeradius-Users
mailing list