EAP-TTLS/PAP failing: client NAKs and requests MSCHAPv2 inside inner-tunnel
Alan DeKok
alan.dekok at inkbridge.io
Tue Sep 23 11:57:53 UTC 2025
On Sep 23, 2025, at 7:49 AM, Arifia Hapsari <arifiarahmi at gmail.com> wrote:
> I am trying to configure FreeRADIUS for guest Wi-Fi authentication using
> *EAP-TTLS/PAP*. My backend is a custom REST API that validates the username
> and plain-text password.
It's almost always better to have the back-end supply the password to FreeRADIUS. FreeRADIUS can then authenticate the user.
> Does the log line Peer NAK'd asking for unsupported EAP type
> MSCHAPv2 definitively
> mean that client requests MSCHAPv2 but the server is only configured to
> accept EAP-TTLS/PAP?
Yes.
> 2.
>
> What is the recommended best practice to solve this for a guest network?
> Should I focus on forcing the client devices to use PAP,
That's pretty much impossible. There's no way for a server to reconfigure the client.
If you can somehow change the client configuration to use PAP, that would work. But that can only be done manually / script / etc. i.e. outside of RADIUS.
> or is it more
> reliable to reconfigure my server and REST API to support MSCHAPv2 (by
> providing the NT-Password hash)?
Yes.
Alan DeKok.
More information about the Freeradius-Users
mailing list