Don't. FreeRadius typically treats EAP-Requests as _two_ requests. It handles the EAP stuff and then generates a new request for the stuff that's contained in the tunnel (e.g. PAP) and sends that to itself. So, if you force Auth-Type to either EAP or PAP unconditionally, either the "inner" (PAP) or the outer (EAP) protocol cannot be handled.
you are probably right, I definitly will avoid forcing Auth-Type and let freeradius do the job.
Apparently, it can't find a password (cleartext or uncrypted) for the user, so it falls back to Auth-Type System. Try to get PAP authentication working by itself, first, i.e. just use radtest to send username/password combinations to the server and fix their handling. Once that works, EAP-TTLS with PAP should work as well.
You pointed it out. Actually I just had to *comment out* (or force Auth-Type := PAP) : DEFAULT Auth-Type = System Fall-Through = 1 which was earlier defined in the users file. And stay with the simple : "testuser" Password == "testpass" The proxy works also like a charm if you take care to add in the proxy.conf, in the realm definition : 'nostrip' (got that stupid error about "Identity does not match User-Name, setting from EAP Identity" for a while) So thanks for the quick reply Stefan ! -- Mathieu