Windows PAP not working, Android PAP does work

[Alan DeKok]

On Jun 23, 2020, at 4:57 AM, Mathias Maes <mathias.maes at maerlantatheneum.be> wrote:
> Little background on my setup:
> I made Freeradius connect to Google Secure LDAP, and I do some post
> authentication (add a VLAN attribute to a response when a user belongs to a
> certain group in Google)
> Yesterday I generated new certificates to test a 'real' production setup.
> 
> Android: Installing cert, setting EAP-TTLS and PAP, username, password, et
> voila, everything works, connected to the right VLAN. However, it takes
> quite long (like over 5 seconds). The Freeradius log of the Android
> connection is in attachment

  If it takes 5s to authenticate the user, then likely something is wrong on the Google side. i.e. the LDAP queries are taking a long time.

  This is one of the few situations where you can run "radiusd -Xx".  That gets you timestamps for each line that's logged.  Which tells you exactly what portion of the server is taking time.

> But with Windows 10, installing server and ca certificates, setting up the
> network to use EAP-TTLS PAP, trying to connect with username and password.

  Windows is using PEAP, not TTLS + PAP.

> Windows simply shows a "Cannot connect to this network", the Freeradius log
> is quite different, as I read it, it seems that Windows still tries to use
> CHAP instead of PAP,
> 
> The Windows log is also in attachment.

  I would suggest attaching the actual logs, verbatim.  Redirect the "radiusd -X" output to a file if necessary.

  Whatever method you've used here has reformatted the output, and added tons of whitespace, which breaks long lines.  It's very unusual, and not necessary.

  I would also suggest READING the debug output you're posting.  If it doesn't contain references to TTLS, then it's pretty clear that Windows isn't using TTLS.

> These are my Windows settings: https://i.imgur.com/EFW1vja.png

  You have to configure Windows to use TTLS + PAP.

  Alan DeKok.