iOS 18.6.2 device refuses to connect to Wi-Fi.

Fri Mar 13 09:36:01 UTC 2026

Fortunately for us, FreeRADIUS happens to be a beautiful beast of 
software. I found out (perhaps a bit late) that you can actually run 
multiple instances of the server and they'll all run happily side by 
side on the same host! All you need to do is to make as many copies of 
the *raddb* folder as necessary run make sure they all listen on 
separate ports. No virtual servers, no hassle! I have great respect and 
admiration for the developers. Your help is appreciated.

On 3/13/2026 11:45 AM, Alexander Clouter via Freeradius-Users wrote:
> On Thu, 12 Mar 2026, at 20:34, Selahattin CILEK wrote:
>> I'm trying something new with FreeRADIUS. There are two virtual servers
>> (staff, guest) which authenticate against two separate DB backends
>> (MySQL and MSSQL, respectively). Accordingly, the clients are configured
>> with the "virtual_server" directive. What I'm trying to achieve is to
>> make FreeRADIUS work on two separate subnets, on which separate devices
>> communicate with separate virtual servers, which authenticate against
>> two separate DBs. iOS devices refuse to authenticate from the *staff*
>> virtual server while Android devices do. And when I remove the *guest*
>> virtual server, iOS devices start connecting too.
>>
>> # radiusd -X
>> FreeRADIUS Version 3.2.3
> Upgrade, more recent versions:
>
> 1) make everyone less grumpy as we are not looking at old software
>
> 2) contain more useful debugging, in particularly around TLS issues
>
>> (7)   # Executing group from file
>> /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls
>> (7)     authenticate {
>> (7) eap: Expiring EAP session with state 0x5892ccaa5990d684
>> (7) eap: Finished EAP session with state 0x5892ccaa5990d684
>> (7) eap: Previous EAP request found for state 0x5892ccaa5990d684,
>> released from the list
>> (7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
>> (7) eap: Calling submodule eap_mschapv2 to process data
>> (7) eap_mschapv2: Auth-Type sub-section not found.  Ignoring.
>> (7) eap_mschapv2: # Executing group from file
>> /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls
>> (7) eap: Sending EAP Failure (code 4) ID 2 length 4
>> (7) eap: Freeing handler
>> (7)       [eap] = reject
>> (7)     } # authenticate = reject
>> (7)   Failed to authenticate the user
>> (7)   Using Post-Auth-Type Reject
> Your iOS devices are using TTLS/EAP-MSCHAPv2, I assume your Android devices are using TTLS/PAP.
>
> FreeRADIUS has not been configured to handle EAP-MSCHAPv2. If your server does not have access to Cleartext-Password (eg. LDAP auth), you will need to configure the device to use PAP which requires installing a provisioning profile[1] using something like Apple Configurator or something home grown. If it does, you should be able to enable EAP-MSCHAPv2 as a valid supported inner method.
>
> Cheers
>
> Alex
>
> [1] alternatively enable EAP-GTC[2], for me iOS seems to auto-detect this and use that without the need for a profile
> [2] ...Apple (and Microsoft and Android) have made forever made GTC unusable as they all treat it as a cachable 'password' with no challenge prompt that can be shown to the user. :(
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html