Quoting Phil Mayers <p.mayers@imperial.ac.uk>:
Your client is doing EAP-TTLS/EAP-MD5.
You have two choices:
1. Reconfigure the client to do EAP-TTLS/PAP, which PAM will be able to authenticate 2. Stop using PAM, and provide the server with the client credentials in a form compatible with your EAP-type (see 1st URL above)
Choice #1 seemed worth a shot, so I altered my client's wpa_supplicant.conf by adding one extra line -- a 'phase2' attribute for PAP: network={ ssid="mynet" scan_ssid=1 key_mgmt=WPA-EAP pairwise=CCMP TKIP group=CCMP TKIP eap=TTLS identity="jwinius" password="secret" ca_cert="/etc/certs/ca.pem" phase2="auth=PAP" } This configuration, together with the freeradius configuration already described in my first post in this thread, worked immediately. :-) Thank you very much, Phil Mayers, and thanks also to Alan DeKok. Cheers, Jaap