Hi, > And forces (even if I encountered several times that may not be done like > that) in the users conf : > testuser Auth-Type := PAP, User-Password == "testpass" > and also tested EAP,
Don't. FreeRadius typically treats EAP-Requests as _two_ requests. It handles the EAP stuff and then generates a new request for the stuff that's contained in the tunnel (e.g. PAP) and sends that to itself. So, if you force Auth-Type to either EAP or PAP unconditionally, either the "inner" (PAP) or the outer (EAP) protocol cannot be handled. > and not specifying the Auth-Type (which then fallback to the System > module and obviously fail) Now, that's a problem... > Without Auth-Type : > > rad_check_password: Found Auth-Type System > auth: type "System" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 5 > rlm_unix: [testuser]: invalid password Apparently, it can't find a password (cleartext or uncrypted) for the user, so it falls back to Auth-Type System. Try to get PAP authentication working by itself, first, i.e. just use radtest to send username/password combinations to the server and fix their handling. Once that works, EAP-TTLS with PAP should work as well. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html