EAP-TTLS not working

Alan DeKok aland at deployingradius.com
Sun Sep 2 14:22:23 CEST 2018

> On Sep 2, 2018, at 5:54 AM, J├╝rgen Obermeyer <om at oegym.de> wrote:
>> Something is very wrong with the Samba / AD infrastructure if MS-CHAP
> doesn't work.
> I think the problem is in my freeradius config.

  If you send MS-CHAP data to Samba, and it says "no", then the issue is on the Samba side.

  FreeRADIUS does MS-CHAP correctly, and has done so for about 20 years...

> Now I'm testing to
> connect a wireless client with eap-ttls, but it's not working, too.
> 'radtest' is always successfull, but I can't connect any wireless client.

  The debug output shows what's going on.
> ...
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6)     authenticate {
> (6) eap: Expiring EAP session with state 0x849ba7b1849aa33e
> (6) eap: Finished EAP session with state 0x849ba7b1849aa33e
> (6) eap: Previous EAP request found for state 0x849ba7b1849aa33e,
> released from the list
> (6) eap: Peer sent packet with method EAP MD5 (4)
> (6) eap: Calling submodule eap_md5 to process data
> (6) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5
> authentication
> (6) eap: ERROR: Failed continuing EAP MD5 (4) session.  EAP sub-module
> failed

  That is pretty clear.

  You can't do EAP-MD5 and Kerberos.

  You MUST configured TTLS with PAP inside of the tunnel.  NOT EAP-MD5.

  Alan DeKok.

More information about the Freeradius-Users mailing list