On 8 Feb 2013, at 16:31, Phil Mayers <p.may...@imperial.ac.uk> wrote:
> Was it Aruba who we had all the issues with terminating PEAP/TTLS locally on > the controller, then transforming the inner EAP-MSCHAPv2 to plain MSCHAPv2 > and mangling it? I seem to recall a flurry of posts to the list that were > solved by turning all that off, but this was a couple of years ago. Certainly when we first set up eduroam on our Aruba controllers back in the ArubaOS 3.x days (2007-8) we had issues with local EAP termination. A colleague set this up and I don't think he would have ticked the box to do it, so I assume it was there by default. We disabled it back then and have never had trouble since -- but our configuration has been gradually ported through upgrades from 3.x to 5.x to 6.x, so we may have migrated that change. However, a test controller I have running 6.x doesn't have EAP termination enabled and I think I didn't explicitly configure that, so it may have changed as a default since 3.x. The setting is probably in the "default" dot1x authentication profile: (aruba) # show aaa authentication dot1x default | include Termination Termination Disabled Termination EAP-Type N/A Termination Inner EAP-Type N/A ... if that says "Enabled" you can turn it off: (aruba) (config)# aaa authentication dot1x default (aruba) (config ...)# no termination enable ... the help for that option says "Default is disabled" in ArubaOS 6.1.3.4. If you want to offload (as you've just mentioned in your further email), then EAP-TTLS is not an option: (aruba) (802.1X Authentication Profile "default") #termination eap-type ? eap-peap Select EAP-PEAP as the authentication protocol eap-tls Select EAP-TLS as the authentication protocol FWIW, we have provided eduroam on ArubaOS 3.x, 5.x and 6.x talking to FreeRADIUS 2.x (with a PostgreSQL backend for passwords, not an AD) for years with this and support EAP-TTLS/xxx without problems*, although most of our users use EAP-PEAP but we don't do any offloading (I'm not sure why you'd want to, unless your RADIUS backend doesn't support the desired methods - but FreeRADIUS does). - Bob * there is one problem that FreeRADIUS doesn't return the inner ID into the outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is nothing Aruba-specific and probably a configuration error in FreeRADIUS on our part. -- Bob Franklin <rc...@cam.ac.uk> +44 1223 748479 Network Division, University of Cambridge Computing Service - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html