EAP TTLS Inner Tunnel

Connor Herring connorrjherring at gmail.com
Thu Sep 12 14:46:20 UTC 2024 

Hi Alan,

Thanks for the confirmation! I'll just keep it how it is for now then.

In regards to the Apple PAP comment, having looked online plenty of people
seem to suggest that EAPTTLS/PAP requires extra configuration. Also
whenever I comment out either MD5 in the EAP file or EAP in the
/sites-enabled/inner-tunnel file (so it can't call the EAP-MD5 module) I
get errors. No problem with Windows but Apple always fails. Not necessarily
a problem just thought it was weird.

Kind regards,

Connor

On Thu, Sep 12, 2024 at 3:40 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Sep 12, 2024, at 10:11 AM, Connor Herring <connorrjherring at gmail.com>
> wrote:
> > I've got my setup working so that the outer auth is dealt with by EAPTTLS
> > and then the inner is dealt with by either PAP/MD5 depending on what
> device
> > the client is using (Windows doesn't seem to support MD5 and Apple
> doesn't
> > seem to support PAP without extra config).
>
>   Apple systems should be able to do TTLS+PAP without issue.
>
> > My question is regarding the /mods-available/inner-eap module. My setup
> > seems to be working but finding out that this module exists has made me
> > question that fact. Instead of configuring inner tunnel within the
> > /mods-enabled/eap file (e.g. setting the virtual server to your inner
> > tunnel server and then configuring the inner tunnel virtual server in
> > /sites-enabled/inner-tunnel etc.) do you HAVE to use
> > /mods-available/inner-eap for this kind of setup to work correctly?
>
>   No.
>
> > When reading the documents I wasn't sure if the inner-eap module was
> going
> > to be more heavily relied upon in v4.0.0 (I'm on v3.2.1) but wasn't
> > necessary at the moment?
>
>   The intent of the inner vs outer EAP modules was to allow different EAP
> types.
>
>   i.e. you don't want to do EAP-TTLS, which then carries EAP-TTLS, which
> then carries EAP-TTLS...
>
>   Using one EAP module means that such nesting is allowed / easier.  Using
> a separate "inner-eap" module means that you can more easily separate the
> two sets of EAP methods.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list