Search code examples
freeradius

How to get User-Password in inner tunnel from iOS

I am attempting to setup a freeradius service to allow authentication against a https api. And i have it working for most android devices, even my Mac book pro works. However when we attempt to use an iOS device (iPad, iPhone), the inner tunnel fails to get the User-Password field.

so the current setup is EAP -> TTLS -> custom auth

eap.conf ttls section

ttls {   
  default_eap_type = md5
  copy_request_to_tunnel = yes  
  use_tunneled_reply = yes
  virtual_server = "inner-tunnel"
}

inner-tunnel custom auth

authorize {
   ...
   update control {
            Auth-Type := `/usr/local/bin/admin_portal.py %{User-Name} '%{User-Password}' %{Calling-Station-Id}`,
            Fall-Through = Yes
    }
}

When I run in debug mode, I get the following output

expand: %{User-Name} -> user@somedomain.com
expand: '%{User-Password}' -> ''
expand: %{Calling-Station-Id} -> 01-23-45-67-89-ab

However, when i use a non iOS device, the password is populated.

Any help would be appreciated. Thank you.

Solution

  • You need a TTLS inner method that sends the password in the clear. The most common method is TTLS-PAP.

    If the supplicant authenticates with TTLS-PAP, the proxied request (to the inner tunnel) will contain a User-Password attribute, with the value the user entered (or was cached) by their supplicant.

    Below is an example of setting up the profile with the Apple Configurator.

    Example of setting up TTLS-PAP with the apple configurator