Hi, The aim and assumptions: -configure FR to authenticate users against OpenLDAP server, -FR would use EAP method, -passwords in LDAP are stored as SHA1, -according to http://deployingradius.com/documents/protocols/compatibility.html the only way to deal with LDAP auth is to use PAP or EAP-GTC. Since client forces EAP method we have no choice than EAP-GTC. Is that correct? -clients are EAP-GTC capable, -FR v2.2.6. After some hours in my lab I finished with the following FR config: 1) in eap.conf: -in eap general settings I set default_eap_type to "gtc" -in gtc section I put "auth_type = LDAP". 2) in sites-enabled/default: -authorize section - not touched, -authentication section - uncomment "Auth-Type LDAP { ldap }", And it is working fine! Now, the questions: a) I am afraid about your comments in gtc section. It stands that: # Currently, this is only permitted inside of EAP-TTLS, # or EAP-PEAP. The module "challenges" the user with # text, and the response from the user is taken to be # the User-Password. # # Proxying the tunneled EAP-GTC session is a bad idea, # the users password will go over the wire in plain-text, # for anyone to see. Can I use eap-gtc "alone" without PEAP/TTLS? Secure tunnel is delivered via IPsec connection so I do not bother about security in that case. What is your opinion? b) How would you configure FR to meet mentioned above requirements? Gabriel