Hi, I'm well aware about not setting Auth-Type and let freeradius choose properly auth method, but I need LDAP authentication, and IT staff of LDAP server is very hostile to give freeradius userPassword info. So, my only choice is binding user to LDAP, and pray for the best... AFAIK, if I can't get proper userPassword (stored in SHA1 in LDAP), I'll never reach PAP module, and my only way out is using LDAP binding in authorize and authenticate sections of inner-tunnel. I'm using 2.1.12 version, and my inner-tunnel is as follows: server inner-tunnel { authorize { suffix eap { ok = return } switch "%{Realm}" { case "alumno.upo.es" { LDAP_estudiantes } case "upo.es" { LDAP_docentes } } } authenticate { eap Auth-Type LDAP_estudiantes { LDAP_estudiantes } Auth-Type LDAP_docentes { LDAP_docentes } Auth-Type PAP { pap } } session { radutmp } post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject } update outer.reply { User-Name = "%{request:User-Name}" } } And modules/ldap is as follows: ldap LDAP_estudiantes { server = "ldap.XXX.XX" basedn = "o=XXX, c=XX" filter = (&(|(uid=%{User-Name})(mail=%{Stripped-User-Name}@alumno.XX.XX)(mailAlternateAddress=%{Stripped-User-Name}@alumno.XX.XX))<mailto:mail=%25%7bStripped-User-Name%7d@alumno.XX.XX)(mailAlternateAddress=%25%7bStripped-User-Name%7d@alumno.XX.XX))> (IrisUserEntitlement=urn:mace:XXX.XX:XX.XX:entitlement:ServiciosRed:wifi:estudiantes) base_filter = "(objectclass=irisperson)" groupname_attribute = "IrisUserEntitlement" groupmembership_attribute = "IrisUserEntitlement" ldap_connections_number = 100 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no cacertfile=/etc/raddb/certs/SCSChain.XX.XX } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } ldap LDAP_docentes { server = "ldap.XXX.XX" basedn = "o=XXX, c=XX" filter = (&(|(uid=%{User-Name})(mail=%{Stripped-User-Name}@XX.XX)(mailAlternateAddress=%{Stripped-User-Name}@XX.XX))<mailto:mail=%25%7bStripped-User-Name%7d@XX.XX)(mailAlternateAddress=%25%7bStripped-User-Name%7d@XX.XX))> (IrisUserEntitlement=urn:mace:XXX.XX:XX.XX:entitlement:ServiciosRed:wifi:Docentes) base_filter = "(objectclass=irisperson)" groupname_attribute = "IrisUserEntitlement" groupmembership_attribute = "IrisUserEntitlement" ldap_connections_number = 100 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no cacertfile=/etc/raddb/certs/SCSChain.XX.XX } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } And, if I try one user with "alumno.XX.XX" realm, I'm getting: [ttls] Got tunneled request User-Name = "uwifialumno@alumno.XX.XX<mailto:uwifialumno@alumno.XX.XX>" User-Password = "XXXX" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "uwifialumno@alumno.XX.XX<mailto:uwifialumno@alumno.XX.XX>" User-Password = "XXXXX" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} [suffix] Looking up realm "alumno.XXX.XX" for User-Name = "uwifialumno@alumno.XXX.XX<mailto:uwifialumno@alumno.XXX.XX>" [suffix] Found realm "alumno.XXX.XX" [suffix] Adding Stripped-User-Name = "uwifialumno" [suffix] Adding Realm = "alumno.XXX.XX" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop expand: %{Realm} -> alumno.XXX.XX ++- entering switch %{Realm} {...} +++- entering case alumno.XXX.XX {...} [LDAP_estudiantes] performing user authorization for uwifialumno [LDAP_estudiantes] expand: (&(|(uid=%{User-Name})(mail=%{Stripped-User-Name}@alumno.XXX.XX)(mailAlternateAddress=%{Stripped-User-Name}@alumno.XXX.XX))(IrisUserEntitlement=urn:mace:XXX.XX:XXX.XX:entitlement:ServiciosRed:wifi:estudiantes))<mailto:mail=%25%7bStripped-User-Name%7d@alumno.XXX.XX)(mailAlternateAddress=%25%7bStripped-User-Name%7d@alumno.XXX.XX))(IrisUserEntitlement=urn:mace:XXX.XX:XXX.XX:entitlement:ServiciosRed:wifi:estudiantes))> -> (&(|(uid=uwifialumno@alumno.XXX.XX)(mail=uwifialumno@alumno.XXX.XX)(mailAlternateAddress=uwifialumno@alumno.XXX.XX))(IrisUserEntitlement=urn:mace:XXX.XX:XXX.XX:entitlement:ServiciosRed:wifi:estudiantes))<mailto:uid=uwifialumno@alumno.XXX.XX)(mail=uwifialumno@alumno.XXX.XX)(mailAlternateAddress=uwifialumno@alumno.XXX.XX))(IrisUserEntitlement=urn:mace:XXX.XX:XXX.XX:entitlement:ServiciosRed:wifi:estudiantes))> [LDAP_estudiantes] expand: o=XXXXXX, c=XX -> o=XXXXX, c=XX [LDAP_estudiantes] ldap_get_conn: Checking Id: 0 [LDAP_estudiantes] ldap_get_conn: Got Id: 0 [LDAP_estudiantes] performing search in o=XXXXX, c=XX, with filter (&(|(uid=uwifialumno@alumno.XXX.XX)(mail=uwifialumno@alumno.XXX.XX)(mailAlternateAddress=uwifialumno@alumno.XXXX.XX))(IrisUserEntitlement=urn:mace:XXX.XX:XXX.XX:entitlement:ServiciosRed:wifi:estudiantes))<mailto:uid=uwifialumno@alumno.XXX.XX)(mail=uwifialumno@alumno.XXX.XX)(mailAlternateAddress=uwifialumno@alumno.XXXX.XX))(IrisUserEntitlement=urn:mace:XXX.XX:XXX.XX:entitlement:ServiciosRed:wifi:estudiantes))> [LDAP_estudiantes] looking for check items in directory... [LDAP_estudiantes] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [LDAP_estudiantes] Setting Auth-Type = LDAP_estudiantes [LDAP_estudiantes] user uwifialumno authorized to use remote access [LDAP_estudiantes] ldap_release_conn: Release Id: 0 ++++[LDAP_estudiantes] returns ok +++- case alumno.upo.es returns ok ++- switch %{Realm} returns ok Found Auth-Type = LDAP_estudiantes WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. Failed to authenticate the user. Login incorrect: [uwifialumno] (from client RedAPs-oviwan port 0 via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Why am I getting "Unknown value specified for Auth-Type", if I define: Auth-Type LDAP_estudiantes { LDAP_estudiantes } In my inner-tunnel config file? Thanks in advance, Ignacio Siles Jefe de Proyecto- Infraestructuras / Sol. y Prod. Wireless Dirección de Servicios y Soluciones I.T. Teléfono: +34 672.283.836 Skype jisiles.ingenia C/Severo Ochoa, 43 Parque Tecnológico de Andalucía 29590. Málaga Tel: +34 952029300 | Fax: +34 952029309 www.ingenia.es<http://www.ingenia.es>