freeradius configuration for EAP-TTLS with Cisco LEAP inner authentication

Question

I am trying to configure freeradius server to support EAP-TTLS with inner authentication as CiscoLEAP.

I am using freeradius version 2.2.9 and done following changes in eap.conf file

eap { . default_eap_type = ttls . . }

ttls { . default_eap_type = leap . . }

With this configuration, Client authentication is successfully happening as per the Cisco LEAP protocol. In my supplicant code I am receiving intermediate SUCCESS from server.

For server authentication, as per Cisco LEAP spec, from supplicant code I am sending peer challenge to Server after receiving intermediate EAP Success. But Server is not sending the challenge response, instead it is sending EAP-SUCCESS directly. And because of this supplicant is not able to authenticate the Server.

Please let me know if any other configurations need to be done on freeradius for EAP-TTLS with CiscoLEAP innner authentication to work completely.

Answer 1

Cisco LEAP authentication cannot be set as Inner authentication. In TTLS, freeradius (or equivalent) support PAP, MSCHAP(V2), CHAP, MD5 and GTC as inner authentication.

If you want to do LEAP authentication in second phase, you have to modify(or write potential code) freeradius.

LEAP is single layer authentication method, like PEAP. PEAP has inner authentication, but not LEAP. This is the main difference.