But why

Alan DeKok aland at deployingradius.com
Wed Oct 2 20:18:13 CEST 2019

On Oct 2, 2019, at 12:16 PM, Alberto Martínez Setién via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I'm getting this debug output when trying to authenticate from an iPad:

  That's fine.

> This is the content of the eap module:

  That's not really relevant.  Also, the documentation says "don't post config files to the list".  We don't need to see them, they don't help.

> Pretty much standard. I expect TTLS + PAP, not MSCHAPv2


> Is this a normal outcome?

  Yes.  Plenty of clients do TTLS + MS-CHAPv2.

> Why iOS doesn't try PAP?

  Because it wasn't configured to to PAP.  No amount of poking FreeRADIUS will change the configuration on the iPad.  You MUST change the iPad configuration on the iPad.

> Having a User-Password attribute doesn't serve as a hint for the server
> when looking for a mutually acceptable type?

  How would that work?  There''s not User-Password from the client in the inner tunnel data.  The server never sends a User-Password to the client.

  EAP just doesn't do "I hope it works like I want".  EAP works the way it works.  If you want to understand why it's *not* doing what you want, you have to first understand how it works.

  In this case, if you want the client to do TTLS + PAP, then you need to configure the client to do TTLS + PAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list