EAP-TTLS not working

Matthew Newton mcn4 at leicester.ac.uk
Fri Oct 28 13:06:23 CEST 2016

On Fri, Oct 28, 2016 at 12:58:38PM +0200, Marlen Caemmerer wrote:
> Am 2016-10-27 14:14, schrieb Alan DeKok: 
> > Because MS-CHAPv2 doesn't supply a password.
> > 
> > The simple answer is that you should give the password to FreeRADIUS, and let FreeRADIUS authenticate the user. You shouldn't write a Perl script to do the authentication.
> What would you recommend to let FreeRadius authenticate the user? LDAP
> or users file or something else? 

That totally depends on where your usernames/passwords are
actually stored.

i.e. where is your perl script looking?

> > In short, EAP-TTLS and PEAP set up a TLS connection between
> > the PC and the RADIUS server. Authentication normally requires
> > a name, so that is the "outer' one. When the TLS session is
> > set up, the *real* name and password are sent inside of the
> > TLS connection. That is the "inner" identity.
> Thanks :). So this means I configure the default virtual server to do
> TTLS and the inner virtual server to do PAP? 


> In the default config I guess I'd have to put eap in the authenticate
> section. 
> Is this correct? 


But watch out - by default the users file is read by both the
inner and outer virtual servers. So you'll end up setting
Auth-Type:=perl for both.

Really, as written all over the place, don't set Auth-Type
yourself unless you really know what you're doing. And don't use
perl to do the authentication - use FreeRADIUS to fetch the
credentials and do the auth. It will generally work out what the
correct Auth-Type is for you.


Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list