FreeRadius EAP-TTLS Troubleshooting

Smith, James james.smith at
Thu Jun 1 22:49:20 CEST 2017

Thanks Alan. 

After fixing the inner-tunnel file to the default configuration, everything seems to work. Not sure how the file got modified but that's a different problem altogether. 

Best Regards,

-----Original Message-----
From: Freeradius-Users [ at] On Behalf Of Alan DeKok
Sent: Tuesday, May 30, 2017 5:40 PM
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re: FreeRadius EAP-TTLS Troubleshooting

On May 30, 2017, at 5:31 PM, Smith, James <james.smith at> wrote:
> FreeRADIUS Version 3.0.4

  You should really upgrade to 3.0.14.  But anyways...

> Hello,
> I'm new to the FreeRadius community and would like to start by saying hello. I'm working on a FreeRadius issue and am having some trouble figuring out what exactly is going on so I'm going to try to post here to see if there is a possible solution.
> We are utilizing FreeRadius for EAP-TTLS authentication with Siemens radios and I'm not able to get our radio to register with the base station. Certificates are installed on the radio, base station and radius server. I've included the Radius -X output to an text file and have it attached.
> I've looked through the debug file and I'm noticing that the radio is getting through part of the authentication then is failing when it tries to authorize the radio. The error seems like it would be easy to translate but nothing seems to be incorrect in my files regarding the client.conf so I'm having a hard time figuring out why the radio is unable to authorize. The actual error message states "No Auth type found:" rejects the user then says "Login Incorrect".

  The exact messages are:

Tue May 30 18:46:18 2017 : Debug: (11)  eap_ttls : Sending tunneled request Tue May 30 18:46:18 2017 : Debug: (11)  server inner-tunnel {
Tue May 30 18:46:18 2017 : Debug: (11)    Request:
	User-Name = 'CPE4'
	User-Password = 'password'
Tue May 30 18:46:18 2017 : Debug: (11)  Empty authorize section.  Using default return values.
Tue May 30 18:46:18 2017 : ERROR: (11)  No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

  You deleted the contents of the "inner-tunnel" file, and broke it.  Don't do that.

  Use the default configuration.  It works.

> Note: I changed the actual passwords using the Find/Replace function. 
> The client that is failing is 
> CPE4 at<mailto:CPE4 at> and it begins authentication 
> as the Debug (7) in the debug log. The first reject happens in Debug 
> (11) (I highlighted in red where the reject message begins.)

  That's fine.

  Alan DeKok.

List info/subscribe/unsubscribe? See
This message is intended only for the addressee and may contain information that is company confidential or privileged.  Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately. 

More information about the Freeradius-Users mailing list