EAP-TTLS/PAP failing: client NAKs and requests MSCHAPv2 inside inner-tunnel

[Alan DeKok]

> On Oct 1, 2025, at 7:43 AM, Arifia Hapsari <arifiarahmi at gmail.com> wrote:
> Thank you for your guidance in the previous email. Following your advice, I
> have successfully reconfigured my entire setup to use PEAP/MSCHAPv2, with
> my Django backend providing the NT-Password hash.
> I have solved all the initial issues (including the OpenSSL MD4 problem in
> Docker), and my API is now healthy. However, I am stuck on one final, very
> confusing problem.

  OK.

> The Problem:
> During a real Wi-Fi authentication, my rlm_rest instance (guest_auth)
> consistently returns noop, which causes the mschap module to fail with
> ERROR: FAILED: No NT-Password.

  Looking at the source code to rlm_rest, the only time it returns NOOP is when there's no relevant section in the configuration.

  i.e. you're listing "rest" in the "authorize" section, but then mods-enabled/rest doesn't have an "authorize" configuration.

  Alan DeKok.