> That's because EAP-TTLS/PAP doesn't use EAP on the inner tunnel. Just > PAP. So "default_eap_type" is irrelevant. > > You support EAP-TTLS/PAP by ensuring PAP is working in the inner tunnel > - by populating a cleartext or hashed password and calling the "pap" > module in the authorize/authenticate section, or other more specialised > configs.
Phil, Your email made me look at this configuration again. Turns out that setting set_auth_type in the ldap module to "no", leaving copy_request_to_tunnel unset (i.e. set to the default "no"), and allowing LDAP authentication only in the inner tunnel made things work the same way as what it had been with gtc set. Thanks for that! Another thing to add to the cook book. :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
