EAP-TTLS not working

Marlen Caemmerer caemmerer at ash-berlin.eu
Fri Oct 28 12:58:38 CEST 2016



Am 2016-10-27 14:14, schrieb Alan DeKok: 

> Because MS-CHAPv2 doesn't supply a password.
> The simple answer is that you should give the password to FreeRADIUS, and let FreeRADIUS authenticate the user. You shouldn't write a Perl script to do the authentication.

What would you recommend to let FreeRadius authenticate the user? LDAP
or users file or something else? 

>> The perl script is for a custom type of authentication only.
> It will only work for PAP authentication.

Actually I plan to poke around with EAP-TTLS and PAP first, then and see
how this goes. 

> In short, EAP-TTLS and PEAP set up a TLS connection between the PC and the RADIUS server. Authentication normally requires a name, so that is the "outer' one. When the TLS session is set up, the *real* name and password are sent inside of the TLS connection. That is the "inner" identity.

Thanks :). So this means I configure the default virtual server to do
TTLS and the inner virtual server to do PAP? 

Then if I do this with rlm_perl I would write 

Auth-Type PAP {

in the inner-tunnel config. 

In the default config I guess I'd have to put eap in the authenticate

Is this correct? 

With kind regards
 Marlen Caemmerer

 Alice Salomon Hochschule
 Marlen Caemmerer
 Alice-Salomon-Platz 5
 12627 Berlin

 Email: caemmerer at ash-berlin.eu

More information about the Freeradius-Users mailing list