TTLS + GTC Configuration -> No Error in log but cleint stuck on "connecting"

Alan DeKok aland at
Fri Sep 15 16:50:49 CEST 2017

On Sep 15, 2017, at 10:44 AM, Mark <mclarke4 at> wrote:
> Ok so I have gone through the configuration and verified that the ssl paths
> and passwords are correct but the authentication still fails.

  The debug log will show why.

a) something happened in the server, and it will tell you why the user was rejected

b) something happened in TLS, and the client will just drop the authentication attempt.

> I tried
> setting the Auth-Type to  local

  Don't do that.  It's been deprecated for about 8 years.

>  Maybe I need to force set
> it to the provided clear-text password before the inner tunnel is set up?


> (I am fully aware I could be talking complete nonsense at this point as my
> brain is swimming in a rough see of concepts and, what seems like
> convoluted labyrinthine mess of configuration options - kind of like living
> a Kafka novel :(  )

  It's simple.  Follow the guide on my site:

  While there are a lot of configuration options, most of them can be ignored.  Follow the guide, and it should work.

  The point is to test each thing in isolation.  Test one thing, get it to work, and only then test another thing.

  There's also the "inner-tunnel" virtual server.  Read the comments at the start.  You can test EAP-GTC authentication *just* for the inner-tunnel, *without* using TTLS.  The eapol_test program can be used to test this.

  So follow the guide, and use eapol_test to test EAP-GTC in isolation.

  If nothing else, it will get you MUCH smaller debug output.  That makes it easier to see what's going on.

> It tried changing the setting to ldap but still cannot login.  A bit lost
> really :( I see some time "MS-MPPE-Recv-Key" messages but not sure how this
> got in there as I don't request any MSCHAP authentication?

  Those are put in the Access-Accept when the user successfully authenticates.  They're the dynamic WiFi encryption keys.

  Alan DeKok.

More information about the Freeradius-Users mailing list