Ttys/pap and Active Directory

Alan DeKok aland at
Thu Jul 9 22:36:09 CEST 2020

> On Jul 9, 2020, at 2:17 PM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users at> wrote:
> Did I understand the procedure correctly ?
> 1) In the eap module we specify the root certificate
> 2) Creating client certificates and signing with this root certificate

  EAP-TLS requires client certificates.  TTLS does not.

> 3) On the windows client we add our root certificate to trusted root certificates
> 4) On the Windows client we add the generated client certificates to the trusted personal certificates

  For EAP-TLS.  Not for TTLS.

> If this is true, does tttls/pap require certificates on the server and client ? I thought tttls/pap only requires certifications on the server 

  Doing *any* TLS requires that the Windows client knows about the root CA.

  You *don't* need a client certificate for TTLS + PAP.

  You *do* need a client certificate for EAP-TLS.

  You *do* need a server certificate which is on FreeRADIUS.  That server certificate *must* be signed by the root CA.

  Alan DeKok.

More information about the Freeradius-Users mailing list