EAP-TTLS not working

Alan DeKok aland at deployingradius.com
Thu Oct 27 14:14:58 CEST 2016

On Oct 27, 2016, at 6:49 AM, Marlen Caemmerer <caemmerer at ash-berlin.eu> wrote:
> I upgraded to 3.0.12 and got debug output as attached. 
> It seems strange that Windows 8 and 10 are able to connect while MacOS
> and Linux aren't. 
> As far as I understand MacOS tries to use MS-CHAPv2 and this does not
> seem to work. 
> It seems my perl auth script does not get a password through while using
> mschapv2. 

  Because MS-CHAPv2 doesn't supply a password.

 The simple answer is that you should give the password to FreeRADIUS, and let FreeRADIUS authenticate the user.  You shouldn't write a Perl script to do the authentication.

> The perl script is for a custom type of authentication only. 

  It will only work for PAP authentication.

> I have difficulties understanding what inner and outer identity are. Do
> you have a good hint on what to read to fully understand this? 

  In short, EAP-TTLS and PEAP set up a TLS connection between the PC and the RADIUS server.  Authentication normally requires a name, so that is the "outer' one.  When the TLS session is set up, the *real* name and password are sent inside of the TLS connection.  That is the "inner" identity.

  Alan DeKok.

More information about the Freeradius-Users mailing list