On 02/08/2013 11:42 PM, Jaap Winius wrote:
Quoting Alan DeKok <al...@deployingradius.com>:
No. You can't turn off EAP. The client is sending EAP to the server.
You need to change the client. And likely you can't, because it
*needs* to do EAP.
Indeed, the key_mgmt attribute in my wpa_supplicant.conf is set to
WPA-EAP and it looks like that's my only option. But, if you're correct,
then how is this supposed to work? You make it sound like a catch-22.
The choice of authentication algorithm (EAP) and any EAP-type are made
client side.
Different EAP types have different requirements, in terms of what data
you need to successfully authenticate a user - see here:
http://deployingradius.com/documents/protocols/compatibility.html
http://deployingradius.com/documents/protocols/oracles.html
PAM, as noted at the 2nd link, s an "oracle" that can *only* be used to
authenticate PAP, and therefore EAP-TTLS/PAP.
Your client is doing EAP-TTLS/EAP-MD5.
You have two choices:
1. Reconfigure the client to do EAP-TTLS/PAP, which PAM will be able
to authenticate
2. Stop using PAM, and provide the server with the client credentials
in a form compatible with your EAP-type (see 1st URL above)
These are your only options.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html