iOS 18.6.2 device refuses to connect to Wi-Fi.

Alexander Clouter alex+freeradius at coremem.com
Fri Mar 13 08:45:33 UTC 2026 

On Thu, 12 Mar 2026, at 20:34, Selahattin CILEK wrote:
>
> I'm trying something new with FreeRADIUS. There are two virtual servers 
> (staff, guest) which authenticate against two separate DB backends 
> (MySQL and MSSQL, respectively). Accordingly, the clients are configured 
> with the "virtual_server" directive. What I'm trying to achieve is to 
> make FreeRADIUS work on two separate subnets, on which separate devices 
> communicate with separate virtual servers, which authenticate against 
> two separate DBs. iOS devices refuse to authenticate from the *staff* 
> virtual server while Android devices do. And when I remove the *guest* 
> virtual server, iOS devices start connecting too.
>
> # radiusd -X
> FreeRADIUS Version 3.2.3

Upgrade, more recent versions:

1) make everyone less grumpy as we are not looking at old software

2) contain more useful debugging, in particularly around TLS issues

> (7)   # Executing group from file 
> /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls
> (7)     authenticate {
> (7) eap: Expiring EAP session with state 0x5892ccaa5990d684
> (7) eap: Finished EAP session with state 0x5892ccaa5990d684
> (7) eap: Previous EAP request found for state 0x5892ccaa5990d684, 
> released from the list
> (7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (7) eap: Calling submodule eap_mschapv2 to process data
> (7) eap_mschapv2: Auth-Type sub-section not found.  Ignoring.
> (7) eap_mschapv2: # Executing group from file 
> /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls
> (7) eap: Sending EAP Failure (code 4) ID 2 length 4
> (7) eap: Freeing handler
> (7)       [eap] = reject
> (7)     } # authenticate = reject
> (7)   Failed to authenticate the user
> (7)   Using Post-Auth-Type Reject

Your iOS devices are using TTLS/EAP-MSCHAPv2, I assume your Android devices are using TTLS/PAP.

FreeRADIUS has not been configured to handle EAP-MSCHAPv2. If your server does not have access to Cleartext-Password (eg. LDAP auth), you will need to configure the device to use PAP which requires installing a provisioning profile[1] using something like Apple Configurator or something home grown. If it does, you should be able to enable EAP-MSCHAPv2 as a valid supported inner method.

Cheers

Alex

[1] alternatively enable EAP-GTC[2], for me iOS seems to auto-detect this and use that without the need for a profile
[2] ...Apple (and Microsoft and Android) have made forever made GTC unusable as they all treat it as a cachable 'password' with no challenge prompt that can be shown to the user. :(

More information about the Freeradius-Users mailing list