But why

Alberto Martínez Setién alberto.martinez at deusto.es
Thu Oct 3 11:45:47 CEST 2019

> > Pretty much standard. I expect TTLS + PAP, not MSCHAPv2
>   Why?

I thought that default_eap_type worked that way

  # Loaded module rlm_eap
>   # Loading module "eap" from file
> /usr/local/freeradius-3.0.17/etc/raddb/mods-enabled/eap
>   eap {
>   default_eap_type = "ttls"

> > Is this a normal outcome?
>   Yes.  Plenty of clients do TTLS + MS-CHAPv2.

Does iOS prefer doing TTLS + MS-CHAPv2 over TTLS-PAP? There is no way of
letting it know the preferred method without the use of a WiFi profile?

> > Why iOS doesn't try PAP?
>   Because it wasn't configured to to PAP.  No amount of poking FreeRADIUS
> will change the configuration on the iPad.  You MUST change the iPad
> configuration on the iPad.

I believe that this is an answer to my question before. But is it really
so? Does the iPad always do TTLS+MSCHAPv2 when trying to connect to an
unconfigured 802.1x network?

> > Having a User-Password attribute doesn't serve as a hint for the server
> > when looking for a mutually acceptable type?
>   How would that work?  There''s not User-Password from the client in the
> inner tunnel data.  The server never sends a User-Password to the client.

Your are right, sorry. The client doesn't send the User-Password in the
inner tunnel before deciding the inner-tunnel auth method.

More information about the Freeradius-Users mailing list