EAP-TTLS/PAP failing: client NAKs and requests MSCHAPv2 inside inner-tunnel
Arifia Hapsari
arifiarahmi at gmail.com
Tue Sep 23 11:49:04 UTC 2025
Hello,
I am trying to configure FreeRADIUS for guest Wi-Fi authentication using
*EAP-TTLS/PAP*. My backend is a custom REST API that validates the username
and plain-text password.
The Phase 1 TLS tunnel is established successfully, but the inner
authentication (Phase 2) always fails. The debug log shows that my
inner-tunnel server rejects the user.
Here is the part of my debug log:
(7) server inner-tunnel {
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) eap: Peer sent EAP Response (code 2) ID 1 length 6
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Peer sent packet with method EAP NAK (3)
(7) eap: Peer NAK'd asking for unsupported EAP type MSCHAPv2
(26), skipping...
(7) eap: ERROR: No mutually acceptable types found
(7) [eap] = invalid
(7) } # authenticate = invalid
(7) Failed to authenticate the user
...
(7) eap_ttls: Got tunneled Access-Reject
(7) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
My eap.conf is configured to use default_eap_type = "pap" inside the ttls
section.
*My questions are:*
1.
Does the log line Peer NAK'd asking for unsupported EAP type
MSCHAPv2 definitively
mean that client requests MSCHAPv2 but the server is only configured to
accept EAP-TTLS/PAP?
2.
What is the recommended best practice to solve this for a guest network?
Should I focus on forcing the client devices to use PAP, or is it more
reliable to reconfigure my server and REST API to support MSCHAPv2 (by
providing the NT-Password hash)?
Thank you for your help
More information about the Freeradius-Users
mailing list