Hello! I am trying to set up a simple Wlan-authentication using EAP-TTLS to avoid client certificates and PAM to use the server system authentication scheme. PAM doesn't know about users, and the users are situated in a LDAP database, which I think makes it logical to use rlm_ldap for authorization. I.e. I just want to check that users exist in LDAP and then move on to checking the password against PAM. The problem is that PAM is never used. This seems to be an artifact of the fact that rlm_ldap is supposed to fetch a "known good" password, but I don't have passwords in the LDAP database. rlm_ldap is indeed successful in authorizing, but there is no Auth-Type set to handle the authentication. If I for example force Auth-Type to PAM in the users file (not good, I know), TTLS-negotiation is never run. If I add Auth-Type LDAP { pam } to the authenticate section and let rlm_ldap set Auth-Type, it works with radtest, but fails using TTLS: pam_pass: function pam_acct_mgmt FAILED for <USERNAME>. Reason: Authentication service cannot retrieve authentication info My configuration is: FreeRADIUS 2.0.5 sites-enabled/default: authorize { preprocess auth_log eap { ok = return } files ldap pap } authenticate { Auth-Type PAP { pap } pam eap } Regards, Erik Karlsson.