But why
Alberto Martínez Setién
alberto.martinez at deusto.es
Thu Oct 3 11:45:47 CEST 2019
> > Pretty much standard. I expect TTLS + PAP, not MSCHAPv2
>
> Why?
>
I thought that default_eap_type worked that way
# Loaded module rlm_eap
> # Loading module "eap" from file
> /usr/local/freeradius-3.0.17/etc/raddb/mods-enabled/eap
> eap {
> default_eap_type = "ttls"
>
> > Is this a normal outcome?
>
> Yes. Plenty of clients do TTLS + MS-CHAPv2.
>
Does iOS prefer doing TTLS + MS-CHAPv2 over TTLS-PAP? There is no way of
letting it know the preferred method without the use of a WiFi profile?
> > Why iOS doesn't try PAP?
>
> Because it wasn't configured to to PAP. No amount of poking FreeRADIUS
> will change the configuration on the iPad. You MUST change the iPad
> configuration on the iPad.
>
I believe that this is an answer to my question before. But is it really
so? Does the iPad always do TTLS+MSCHAPv2 when trying to connect to an
unconfigured 802.1x network?
> > Having a User-Password attribute doesn't serve as a hint for the server
> > when looking for a mutually acceptable type?
>
> How would that work? There''s not User-Password from the client in the
> inner tunnel data. The server never sends a User-Password to the client.
>
Your are right, sorry. The client doesn't send the User-Password in the
inner tunnel before deciding the inner-tunnel auth method.
More information about the Freeradius-Users
mailing list