Hi, Ok i read all of the debug output, and i think i can understand mechanism. However could you confirm (or not) what i understand ? In case of an EAP/TTLS connexion : - Freeradius get a request, with a particular attribut : EAP-Message - Entering authorize section, only EAP one matches because of EAP attribut => Auth-Type is set to EAP - Entering authenticate section, Freeradius sent a challenge to client - Client answer - Freeradius get a new request with attribut EAP-Message, State and a new Message-Authenticator - Entering authorize section, EAP matches - Entering authenticate section. EAP matches (Auth-Type = EAP). Freeradius sent response to client (negociating ?) - Client answer - Freeradius get a new request with attribut EAP-Message, State and new Message-Authenticator - Entering authorize section, EAP matches, tunnel setup is set - Entering authenticate section. EAP matches (Auth-Type = EAP). TTLS type found, beginning with TLS. SSL working, sending response to client - Client answer - Freeradius get a new request with attribut EAP-Message, State and new Message-Authenticator - Entering authorize section, EAP matches, tunnel continues - Entering authenticate section. EAP matches (Auth-Type = EAP). Negociating SSL, sending response to client - Client answer - Freeradius get a new request with attribut EAP-Message, State and new Message-Authenticator - Entering authorize section, EAP matches, tunnel continues - Entering authenticate section. EAP matches (Auth-Type = EAP). SSL tunnel negociated, sending response to client - Client answer - Freeradius get a new request with attribut EAP-Message, State and new Message-Authenticator - Entering authorize section, EAP matches, tunnel continues - Entering authenticate section. EAP matches (Auth-Type = EAP). SSL tunnel negociated, session establisshed, sending response to client - Client answer - Freeradius get a new request with attribut EAP-Message, State and new Message-Authenticator - Entering authorize section, EAP matches, tunnel continues - Entering authenticate section. EAP matches (Auth-Type = EAP). Session establisshed, entering inner-tunnel section. A this time, no more EAP request/send, only new authorise/authenticate in the tunnel. - Entering inner-tunnel authorize section, LDAP matches - Entering LDAP section : bind successful, login is authenticated - Access-Accept is send to client If i'm right, i'm asking some questions : - in the first step of the connexion, what is exactly the job of authorize section ? Does it only set auth-type when finding any "clue" in the request ? - when connexion is in the tunnel step, a "reduced" request is sent ( without EAP attributes). This request is checked by the inner-tunnel authorize section which will set the auth-type, right ? Here the auth-type found is LDAP. If i follow the entire log, i can see - entering authorize - finding Ldap Auth - entering LDAP section, and then bind... But i can't see entering authenticate section as we can see in the firt step with EAP It's quite hard to explain, but * Outside tunnel : request -> authorize section -> Foudn type EAP -> authenticate section -> EAP working * Inside tunnel : request -> authorize section -> Foudn type LDAP -> LDAP working Why is there an "authenticate section" for EAP and a direct use of LDAP section for LDAP ? -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57