EAP-TLS with Google Secure LDAP - iPhone authentication issue
Alan DeKok
alan.dekok at inkbridge.io
Fri Mar 6 01:31:00 UTC 2026
On Mar 5, 2026, at 10:36 AM, Helder Miolo <heldermiolo4 at gmail.com> wrote:
> Hello, I am running FreeRADIUS 3.0 on Ubuntu 24.04.
You should use 3.2. It has a number of new features and fixed which aren't in 3.0.
> I am trying to
> authenticate users via WPA2-Enterprise using Google Secure LDAP as the
> backend.It turns out that Android phones are working perfectly, but iPhones
> are experiencing a similar error:
>
> 5) ldap: ERROR: Attribute "User-Password" is required for authentication
You can't do MS-CHAP authentication to an LDAP database.
> Problem:
> - IPhone forces MSCHAPv2 even when EAP-TTLS/PAP is configured
? We're using iPhones with TTLS+PAP. It works fine.
IIRC, you can't select TTLS+PAP fro the UI. But you can either set it using the "mobileconfig" tool, or you can create a mobileconfig file manually which sets TTLS+PAP. It's just an XML file.
> - radtest with PAP works successfully
>
> Current configuration:
> - eap.conf: default_eap_type = ttls, ttls { default_eap_type = pap }
> - inner-tunnel: Auth-Type PAP and LDAP configured
> - libldap is using GnuTLS while FreeRADIUS uses OpenSSL (Ubuntu 24.04 issue)
You will want to fix the last issue. Using different TLS libraries in the same application is likely to cause issues. When you run the server in debug mode, it will print large messages complaining about this.
Alan DeKok.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260305/6c837a4a/attachment.sig>
More information about the Freeradius-Users
mailing list