Hello, I am trying to configure FreeRADIUS for guest Wi-Fi authentication using *EAP-TTLS/PAP*. My backend is a custom REST API that validates the username and plain-text password. The Phase 1 TLS tunnel is established successfully, but the inner authentication (Phase 2) always fails. The debug log shows that my inner-tunnel server rejects the user. Here is the part of my debug log: (7) server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) eap: Peer sent EAP Response (code 2) ID 1 length 6 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) } # authorize = updated (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent packet with method EAP NAK (3) (7) eap: Peer NAK'd asking for unsupported EAP type MSCHAPv2 (26), skipping... (7) eap: ERROR: No mutually acceptable types found (7) [eap] = invalid (7) } # authenticate = invalid (7) Failed to authenticate the user ... (7) eap_ttls: Got tunneled Access-Reject (7) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed My eap.conf is configured to use default_eap_type = "pap" inside the ttls section. *My questions are:* 1. Does the log line Peer NAK'd asking for unsupported EAP type MSCHAPv2 definitively mean that client requests MSCHAPv2 but the server is only configured to accept EAP-TTLS/PAP? 2. What is the recommended best practice to solve this for a guest network? Should I focus on forcing the client devices to use PAP, or is it more reliable to reconfigure my server and REST API to support MSCHAPv2 (by providing the NT-Password hash)? Thank you for your help