EAP-TTLS not working
Alan DeKok
aland at deployingradius.com
Sun Sep 2 14:22:23 CEST 2018
> On Sep 2, 2018, at 5:54 AM, Jürgen Obermeyer <om at oegym.de> wrote:
>> Something is very wrong with the Samba / AD infrastructure if MS-CHAP
> doesn't work.
>
> I think the problem is in my freeradius config.
If you send MS-CHAP data to Samba, and it says "no", then the issue is on the Samba side.
FreeRADIUS does MS-CHAP correctly, and has done so for about 20 years...
> Now I'm testing to
> connect a wireless client with eap-ttls, but it's not working, too.
> 'radtest' is always successfull, but I can't connect any wireless client.
The debug output shows what's going on.
> ...
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0x849ba7b1849aa33e
> (6) eap: Finished EAP session with state 0x849ba7b1849aa33e
> (6) eap: Previous EAP request found for state 0x849ba7b1849aa33e,
> released from the list
> (6) eap: Peer sent packet with method EAP MD5 (4)
> (6) eap: Calling submodule eap_md5 to process data
> (6) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5
> authentication
> (6) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module
> failed
That is pretty clear.
You can't do EAP-MD5 and Kerberos.
You MUST configured TTLS with PAP inside of the tunnel. NOT EAP-MD5.
Alan DeKok.
More information about the Freeradius-Users
mailing list