About EAP-TTLS + MS-CHAPv2 authentication

Yuya Yanagi peacefull64 at gmail.com
Tue Jul 30 17:06:37 CEST 2019 

Alan

Thank you for your reply.

The LDAP server uses OpenLDAP.

Authentication of Wifi_AP and wired LAN does not use AD.

The attribute about the user is set to OpenLDAP.

The migration source passes authentication with MS-CHAPv2, but
Maybe you should choose MS-Chapv2?


2019-07-30 23:57 GMT+09:00, Alan DeKok <aland at deployingradius.com>:
> On Jul 30, 2019, at 10:53 AM, Yuya Yanagi <peacefull64 at gmail.com> wrote:
>> I'm sorry, my English is not good.
>
>   It's fine.
>
>> I am migrating a FreeRadius server, but I'm having trouble connecting
>> with EAP-TTLS + MS-CHAPv2.
>>
>> The migration source is FreeRadius v2, but this time it is a migration
>> to FreeRadius v3.
>> Although the configuration is a straight migration, some settings have
>> been added as dynamic VLAN is required.
>> At first we recommended to build with EAP-TTLS + PAP, but customers
>> are required to connect with EAP-TTLS + MS-CHAPv2
>> When EAP-TTLS + PAP, although authentication was successful, it will
>> be an error if it is made EAP-TTLS + MS-CHAPv2 connection.
>
>   Yes.
>
>> Specifically, I get into trouble with the following error at the point
>> of authenticate section.
>> ------
>> (6) ldap_regularusers: WARNING: You have set "Auth-Type := LDAP" somewhere
>> (6) ldap_regularusers: WARNING:
>> *********************************************
>> (6) ldap_regularusers: WARNING: * THAT CONFIGURATION IS WRONG.  DELETE IT.
>> (6) ldap_regularusers: WARNING: * YOU ARE PREVENTING THE SERVER FROM
>> WORKING
>> (6) ldap_regularusers: WARNING:
>> *********************************************
>> (6) ldap_regularusers: ERROR: Attribute "User-Password" is required
>> for authentication
>> ------
>
>   That should be clear:
>
> 1) don't set Auth-Type := LDAP
> 2) get the password from LDAP and let FreeRADIUS do the authentication.
> LDAP servers don't do MS-CHAPv2.
>
>   If the LDAP server is Active Directory, then you need to follow my guide:
>
> http://deployingradius.com/documents/configuration/active_directory.html
>
>> As a question and support
>>
>> 1. Can I authenticate using EAP-TTLS + MS-CHAPv2?
>
>   Yes.  See above.  But not with "Auth-Type := LDAP"
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list