I'm trying to configure Freeradius to use LDAP (which is working), but I need to mix PAP and CHAP. I have a wireless web-auth that uses PAP and is sending the cleartext password (tunneled via TLS) to the LDAP database that contains the encrypted (SSHA) user passwords. I also have switches that only do CHAP but for those, I'm only going to do MAC-auth so I've set up a separate database (same LDAP server, different basedn) that contains cleartext passwords (the MAC address) for each MAC that is authorized for the switch. I know it's not the best access control, but better then none. I've set up 4 ldap modules, two different basedn's on two redundant servers. This appears to work so far, but am I missing something here that's going to cause problems down the line??? Here are the authorize and authenticate sections of default, I haven't removed mschap, suffix, eap, unix or files, but none of them _should_ be used.: authorize { preprocess auth_log chap mschap suffix eap { ok = return } unix files redundant-load-balance { ldap-server1-radius ldap-server2-radius } redundant-load-balance { ldap-server1 ldap-server2 } expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { redundant-load-balance { ldap-server1 ldap-server2 } } eap }