Hi, I'm setting up a RADIUS server which among others has to be linked to PAM. One of my primary requirements is that is uses secure cryptography. The main question is: 1. Does the PAM Radius module support EAP-TTLS with an inner tunnel of PAP? I did some research and came accross http://lists.freeradius.org/pipermail/freeradius-users/2013-December/069408...., which unfortunately doesn't answer my question. I scanned through the sourcecode of the PAM_radius module, which does not have any indication of TLS support. Background: Most supported protocols are based on MD5, which has been severly comprimised[1], or a single DES key (MSCHAP V2) [2], which is also comprimised. So that only leaves the TLS based protocols, Based on [3] I assume I should use PAP for the inner tunnel, because this enables me to store hashed password (will use SSHA512). If you know a more secure setup, don't hesitate to advice me :). Also if I made a mistake somewhere, don't hesitate to correct me :) As a final remark, I think it would be beneficial for the security of many account details, both transfered and stored for (FREE)RADIUS, to include clear warnings on the pages about insecure protocols/authentication standards. [1] https://en.wikipedia.org/wiki/MD5 [2] https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ [3] http://deployingradius.com/documents/protocols/compatibility.html