Proxy to realm after eap-ttls authantication

Alan DeKok aland at
Tue Nov 24 20:41:46 CET 2020

On Nov 24, 2020, at 2:32 PM, Mesut Ozturk <mesut at> wrote:
> I got it from GlobalSign site.
> And used for both Android clients and freeradius.

  OK.  Then something may be wrong with the Android configuration.

  You also need to ensure that *all* of the intermediate certificates are added to the FreeRADIUS configuration.  See the documentation in mods-available/eap.  This is well documented.

>> But... that debug output doesn't show anything useful.  Why post *part* of the debug output, when you can post *all* of it?
>> If you don't know how to read the debug output, there's documentation for that:
> I am debuging with "freeradius -X" command. Am i doing wrong ? Also when i tried with IOS device that was the only output. it occured 3 times and i shared one of them.

  What you're doing it not sharing *all* of the debug output.

> What i notices IOS trying Access Challange to wrong ip. this ip is not the one which i configured for proxy-inner-tunnel
>> (2) Sent Access-Challenge Id 228 from to length 0

  RADIUS doesn't proxy the Access-Challenge to the home server.  It proxies the Access-Request.  The Access-Challenge is sent back to the WLC.

  And WHAT did you configure for proxying in the inner tunnel?  Perhaps you could describe what you did.

> Still dont understand. I am using same controller(Cisco WLC), same SSID and same radius server(freeradius) but android clients cant complete EAP and says unknown CA, IOS devices can complete EAP part but cant start access challange part.

  I don't know what that means: "can't start Access-Challenge part"

  What happens if you just let the iOS server authenticate?  Does it finish authentication?  Does it stop after FreeRADIUS sends the Access-Challenge?

  Use CLEAR DESCRIPTIONS for what is going wrong.

  If iOS authentication stops after FreeRADIUS sends the Access-Challenge, then it has the same issue as Android.  The certificates are wrong, or configured incorrectly.

> Please help me, i am confused and lost in forums.

  Don't waste your time with forums or random third-party web sites.  They are almost all wrong.

  There is long and detailed documentation on how to get EAP to work.  See my web site:

  Follow the instructions.  Use the test certificates.  It *WILL* work.

  Then, when that works with iOS / Android, swap out the certificates.  And make sure that ALL certificates, including intermediate CAs, are configured with FreeRADIUS.  You will then be able to get Android and iOS working.

  And PLEASE fix one problem at a time.  Stop trying to proxy the inner tunnel, until you get authentication working.  If you try to fix 4 things at once, you get lost in the details, and you have no idea what changes will break (or fix) what thing.

  Follow the documentation on my web site.  THEN swap out certificates for the Globalsign ones.  THEN configure proxying of the inner tunnel.

  Alan DeKok.

More information about the Freeradius-Users mailing list