About EAP-TTLS + MS-CHAPv2 authentication
Alan DeKok
aland at deployingradius.com
Tue Jul 30 16:57:10 CEST 2019
On Jul 30, 2019, at 10:53 AM, Yuya Yanagi <peacefull64 at gmail.com> wrote:
> I'm sorry, my English is not good.
It's fine.
> I am migrating a FreeRadius server, but I'm having trouble connecting
> with EAP-TTLS + MS-CHAPv2.
>
> The migration source is FreeRadius v2, but this time it is a migration
> to FreeRadius v3.
> Although the configuration is a straight migration, some settings have
> been added as dynamic VLAN is required.
> At first we recommended to build with EAP-TTLS + PAP, but customers
> are required to connect with EAP-TTLS + MS-CHAPv2
> When EAP-TTLS + PAP, although authentication was successful, it will
> be an error if it is made EAP-TTLS + MS-CHAPv2 connection.
Yes.
> Specifically, I get into trouble with the following error at the point
> of authenticate section.
> ------
> (6) ldap_regularusers: WARNING: You have set "Auth-Type := LDAP" somewhere
> (6) ldap_regularusers: WARNING: *********************************************
> (6) ldap_regularusers: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT.
> (6) ldap_regularusers: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING
> (6) ldap_regularusers: WARNING: *********************************************
> (6) ldap_regularusers: ERROR: Attribute "User-Password" is required
> for authentication
> ------
That should be clear:
1) don't set Auth-Type := LDAP
2) get the password from LDAP and let FreeRADIUS do the authentication. LDAP servers don't do MS-CHAPv2.
If the LDAP server is Active Directory, then you need to follow my guide:
http://deployingradius.com/documents/configuration/active_directory.html
> As a question and support
>
> 1. Can I authenticate using EAP-TTLS + MS-CHAPv2?
Yes. See above. But not with "Auth-Type := LDAP"
Alan DeKok.
More information about the Freeradius-Users
mailing list