I am trying to set up a working EAP-TTLS/PAP demo using FreeRadius 2.2.6 on top of CentOS6. For simplicity, I would like to use PAP and statically define Cleartext-Password for users in the users file. But I also would like to be able to authenticate using full realm since I plan on using realm for testing some routing. I currently have this working for basic radius by stripping the realm and then using Cleartext-Password from the users file ... however, when I went to put the same setup through EAP TTLS, I'm now having problems and getting a no User-Password attribute dispite supplying one the same one from radtest but using rad_eap_test. Sun Mar 13 13:06:32 2016 : Auth: Login incorrect: [bob/<via Auth-Type = EAP>] (from client localhost port 58 cli fcdbb33f581d) Sun Mar 13 13:06:33 2016 : Auth: Login incorrect (Home Server says so): [ bob@rgorrell.net/<no User-Password attribute>] (from client raddev port 58 cli fcdbb33f581d) While researching, I came across a theory that sounds fitting to my situation... upon receiving a username qualified by a realm, FreeRadius will strip the realm off before matching the username. This results in the User-Name being modified to be different to the EAP Identity field before being sent for actual authenticating. This results in FreeRadius issueing a rejection due to the mismatch between the two fields. Does that sound right? If so, I'm not sure what I can do about it... I can't nostrip the username as then I won't be able to authenticate via PAP. but I can't login identically matching my users file (ie no realm), because I need the realm for routing. Suggestions? Thanks, -Rob