Alan DeKok wrote:
1) The tunneled session is MS-CHAP, not PAP. The server is tellingI did not intend to mislead anyone. I didn't realize that client was forcing TTLS+MSCHAP. It was my (mistaken) impression that the client and server would negotiate TTLS inner authentication. I have now learned that is NOT the case. Mac OS X clients needs to be configured to do PAP as its TTLS Inner Authentication. That was the "missing link".
you this in the debug messages! I don't understand why you are asking
about TTLS + PAP when you're using TTLS + MSCHAP. Please do not post
misleading messages to the list.
3) you didn't configure a clear-text password like I told you to.
In your case, you should have configured it in LDAP.
Apparently that is not necessary since FreeRADIUS extract username and password from the PAP "packet" and uses it to bind to the LDAP server.
I tried to describe what I was trying/attempting to do. Unfortunately step by step documentation on this issue is either lacking or doesn't exist.4) LDAP servers don't do MS-CHAP authentication. What you are trying to do is impossible.
In the future, please describe what you're actually doing, and
follow the instructions given on this list.
Thank you for your response. I will now document this and post it in my HOWTO.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
