[EXTERNAL] Re: EAP-TLS with Google Secure LDAP - iPhone authentication issue

Fri Mar 6 11:18:15 UTC 2026

Really don't mix TLS libs they don't play nicely. In some cases libs dynamic load the TLS lib so code will run well until it calls something that needs the 'other' TLS then random crashes occur. Good luck finding the cause because the crash is almost always in the code that was working fine moments before.

Been bitten by this trying to trace why FR was crashing. Took a while to realise it always happened after FR or one of the loaded libs had a reason to do a UID to name or name to UID lookup. That lookup called libnss which loaded nssldap which loaded libldap which loaded libgnutls.... Ticking timebomb after that. (Yes, this was a long time ago pre sssd).

A.

From: Freeradius-Users <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org> on behalf of Alan DeKok via Freeradius-Users <freeradius-users at lists.freeradius.org>
Date: Friday, 6 March 2026 at 01:31
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Alan DeKok <alan.dekok at inkbridge.io>
Subject: [EXTERNAL] Re: EAP-TLS with Google Secure LDAP - iPhone authentication issue

On Mar 5, 2026, at 10:36 AM, Helder Miolo <heldermiolo4 at gmail.com> wrote:
> Hello, I am running FreeRADIUS 3.0 on Ubuntu 24.04.

  You should use 3.2.  It has a number of new features and fixed which aren't in 3.0.

> I am trying to
> authenticate users via WPA2-Enterprise using Google Secure LDAP as the
> backend.It turns out that Android phones are working perfectly, but iPhones
> are experiencing a similar error:
>
> 5) ldap: ERROR: Attribute "User-Password" is required for authentication

  You can't do MS-CHAP authentication to an LDAP database.

> Problem:
> - IPhone forces MSCHAPv2 even when EAP-TTLS/PAP is configured

  ?  We're using iPhones with TTLS+PAP.  It works fine.

  IIRC, you can't select TTLS+PAP fro the UI.  But you can either set it using the "mobileconfig" tool, or you can create a mobileconfig file manually which sets TTLS+PAP.  It's just an XML file.

> -  radtest with PAP works successfully
>
> Current configuration:
> - eap.conf: default_eap_type = ttls, ttls { default_eap_type = pap }
> - inner-tunnel: Auth-Type PAP and LDAP configured
> - libldap is using GnuTLS while FreeRADIUS uses OpenSSL (Ubuntu 24.04 issue)

  You will want to fix the last issue.  Using different TLS libraries in the same application is likely to cause issues.  When you run the server in debug mode, it will print large messages complaining about this.

  Alan DeKok.

--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by using the report message button in Outlook or sending them as an attachment to phishing at sky.uk. Thank you
--------------------------------------------------------------------

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD